Merge branch 'email-submissions'

41412efd · Enrico Pozzobon · a2add83a · 389d7d2c · 41412efd · 41412efd
Commit 41412efd authored Jul 20, 2020 by Enrico Pozzobon
11 changed files
--- a/knot/Implementations/crypto_aead/knot128v1/armcortexm_3/api.h
+++ b/knot/Implementations/crypto_aead/knot128v1/armcortexm_3/api.h
 #define CRYPTO_KEYBYTES 16 //
 #define CRYPTO_NSECBYTES 0
 #define CRYPTO_NPUBBYTES 16
@@ -6,4 +6,3 @@
 #define CRYPTO_NOOVERLAP 1
--- a/knot/Implementations/crypto_aead/knot128v1/armcortexm_3/auxFormat.h
+++ b/knot/Implementations/crypto_aead/knot128v1/armcortexm_3/auxFormat.h
@@ -8,11 +8,12 @@
 #define LOTR32(x,n) (((x)<<(n))|((x)>>(32-(n))))
-#define sbox(a, b, c, d, e, f, g, h)                                                                            \
+#define sbox(a, b, c, d,  f, g, h) \
-{                                                                                                                             \
+{  \
-	t1 = ~a; t2 = b & t1;t3 = c ^ t2; h = d ^ t3; t5 = b | c; t6 = d ^ t1; g = t5 ^ t6; t8 = b ^ d; t9 = t3 & t6; e = t8 ^ t9; t11 = g & t8; f = t3 ^ t11; \
+	t1 = ~a; t2 = b & t1;t3 = c ^ t2; h = d ^ t3; t5 = b | c; t6 = d ^ t1; g = t5 ^ t6; t8 = b ^ d; t9 = t3 & t6; a = t8 ^ t9; t11 = g & t8; f = t3 ^ t11; \
 }
 typedef unsigned char u8;
 typedef unsigned int u32;
 typedef unsigned long long u64;
@@ -54,11 +55,8 @@ out[1] = (t2 << 16) | (t1 & 0x0000FFFF);                	\
 #define ROUND256( constant6Format,lunNum) {\
 	s[0] ^= constant6Format[lunNum]>> 4;\
 	s[1] ^= constant6Format[lunNum]& 0x0f;\
-	sbox(s[0], s[2], s[4], s[6], s_temp[0], s_temp[2], s_temp[4], s_temp[6]);\
+	sbox(s[0], s[2], s[4], s[6], s_temp[2], s_temp[4], s_temp[6]);\
-	sbox(s[1], s[3], s[5], s[7], s_temp[1], s_temp[3], s_temp[5], s_temp[7]);\
+	sbox(s[1], s[3], s[5], s[7], s[2], s_temp[5], s_temp[7]);\
-	s[0] = s_temp[0];\
-	s[1] = s_temp[1];\
-	s[2] = s_temp[3];\
 	s[3] = LOTR32(s_temp[2], 1);\
 	s[4] = LOTR32(s_temp[4], 4);\
 	s[5] = LOTR32(s_temp[5], 4);\
@@ -66,3 +64,4 @@ out[1] = (t2 << 16) | (t1 & 0x0000FFFF);                	\
 	s[7] = LOTR32(s_temp[6], 13);\
 }
--- a/knot/Implementations/crypto_aead/knot128v1/armcortexm_3/encrypt.c
+++ b/knot/Implementations/crypto_aead/knot128v1/armcortexm_3/encrypt.c
@@ -97,8 +97,7 @@ int crypto_aead_encrypt(unsigned char *c, unsigned long long *clen,
 		ROUND256(constant6Format,i);
 	}
 	// process associated data
-	if (adlen) {
+	if (adlen) { 
-		//rlen = adlen;
 		while (adlen >= RATE) {
 			packFormat(dataFormat, ad);
 			s[0] ^= dataFormat[0];
@@ -153,8 +152,6 @@ tempData[mlen]= 0x01;
 		memcpy(c, tempData, sizeof(tempData));
 	unpackFormat(tempData,(s + 2));
 		memcpy(c+8, tempData, sizeof(tempData));
-//	unpackFormat((c), s);
-//	unpackFormat((c+8),(s + 2));
 	return 0;
 }
@@ -237,10 +234,12 @@ int crypto_aead_decrypt(unsigned char *m, unsigned long long *mlen,
 		ROUND256(constant6Format, i);
 	}
 	// return tag	
-	packFormat(dataFormat, c);
+		unpackFormat(tempU8, s);
-	packFormat((dataFormat + 2), (c +8));
+		unpackFormat((tempU8+8), (s+2));
-	if (dataFormat[0] != s[0] || dataFormat[1] != s[1] || dataFormat[2] != s[2] || dataFormat[3] != s[3]) {
+	if (memcmp((void*)tempU8, (void*)c,CRYPTO_ABYTES)) {
-		return -1;
+		*mlen = 0;
+		memset(m, 0, sizeof(unsigned char) * (clen - CRYPTO_ABYTES));
+	   return -1;
 	}
 	return 0;
 }
--- a/knot/Implementations/crypto_aead/knot128v2/armcortexm_3/api.h
+++ b/knot/Implementations/crypto_aead/knot128v2/armcortexm_3/api.h
@@ -5,4 +5,3 @@
 #define CRYPTO_NOOVERLAP 1
--- a/knot/Implementations/crypto_aead/knot128v2/armcortexm_3/auxFormat.h
+++ b/knot/Implementations/crypto_aead/knot128v2/armcortexm_3/auxFormat.h
-//#include<malloc.h>
 #include"crypto_aead.h"
 #include"api.h"
 #include  <string.h>
@@ -13,7 +13,6 @@ typedef unsigned long long u64;
 #define ARR_SIZE(a) (sizeof((a))/sizeof((a[0])))
 #define LOTR32(x,n) (((x)<<(n))|((x)>>(32-(n))))
 #define puckU32ToThree(x){\
 x &= 0x92492492;\
 x = (x | (x << 2)) & 0xc30c30c3;\
@@ -27,8 +26,7 @@ x = (x | (x >> 16)) & 0xff0000ff;\
 x = (x | (x >> 8)) & 0xf00f00f0;\
 x = (x | (x >> 4)) & 0xc30c30c3;\
 x = (x | (x >> 2)) & 0x92492492;\
-}
+} 
 #define packU32FormatToThreePacket( out,  in) {\
 t2 = U32BIG(((u32*)in)[0]);	\
 t2_64 = (in[3] & 0x80) >> 7, t2_65 = (in[3] & 0x40) >> 6;	\
@@ -40,8 +38,7 @@ puckU32ToThree(temp2[2]);	\
 out[0] = (temp2[0] >> 22);	\
 out[1] = (((u32)t2_64) << 10) | (temp2[1] >> 22);	\
 out[2] =(((u32)t2_65) << 10) | (temp2[2] >> 22);	\
-}
+} 
 #define packU96FormatToThreePacket(out, in) {\
 t9 = U32BIG(((u32*)in)[2]);	\
 t1 = U32BIG(((u32*)in)[1]);	\
@@ -64,8 +61,7 @@ puckU32ToThree(temp2[2]);	\
 out[0] = (temp0[0]) | (temp1[0] >> 11) | (temp2[0] >> 22);	\
 out[1] = (temp0[1]) | (temp1[1] >> 11) | (((u32)t2_64) << 10) | (temp2[1] >> 22);	\
 out[2] = (temp0[2]) | (((u32)t1_32) << 21) | (temp1[2] >> 11) | (((u32)t2_65) << 10) | (temp2[2] >> 22);	\
-}
+} 
 #define unpackU32FormatToThreePacket(out, in) {\
 temp2[0] = (in[0] & 0x000003ff) << 22;	\
 t2_64 = ((in[1] & 0x00000400) << 21);	\
@@ -77,8 +73,7 @@ unpuckU32ToThree(temp2[1]);	\
 unpuckU32ToThree(temp2[2]);	\
 t2 = t2_65 | t2_64 | ((temp2[0] | temp2[1] >> 1 | temp2[2] >> 2) >> 2);	\
 *(u32*)(out) = U32BIG(t2);	\
-}
+} 
 #define unpackU96FormatToThreePacket( out, in) {\
 temp0[0] = in[0] & 0xffe00000;	\
 temp1[0] = (in[0] & 0x001ffc00) << 11;	\
@@ -110,23 +105,16 @@ t2 = t2_65 | t2_64 | ((temp2[0] | temp2[1] >> 1 | temp2[2] >> 2) >> 2);	\
 }
 #define ARR_SIZE(a) (sizeof((a))/sizeof((a[0])))
-#define sbox(a, b, c, d, e, f, g, h)                                                                            \
+#define sbox(a, b, c, d,  f, g, h) \
-{                                                                                                                             \
+{  \
-	t1 = ~a; t2 = b & t1;t3 = c ^ t2; h = d ^ t3; t5 = b | c; t6 = d ^ t1; g = t5 ^ t6; t8 = b ^ d; t9 = t3 & t6; e = t8 ^ t9; t11 = g & t8; f = t3 ^ t11; \
+	t1 = ~a; t2 = b & t1;t3 = c ^ t2; h = d ^ t3; t5 = b | c; t6 = d ^ t1; g = t5 ^ t6; t8 = b ^ d; t9 = t3 & t6; a = t8 ^ t9; t11 = g & t8; f = t3 ^ t11; \
 }
-#define U96_BIT_LOTR32_1(t0,t1,t2,t3,t4,t5){\
-t3= t1;\
-t4 = t2;\
-t5 = LOTR32(t0, 1); \
-}
 #define U96_BIT_LOTR32_8(t0,t1,t2,t3,t4,t5){\
 t3= LOTR32(t2, 2);\
 t4 =LOTR32(t0, 3);\
 t5 = LOTR32(t1, 3); \
 }
 #define U96_BIT_LOTR32_55(t0,t1,t2,t3,t4,t5){\
 t3= LOTR32(t1, 18); \
 t4 = LOTR32(t2, 18);\

--- a/knot/Implementations/crypto_aead/knot128v2/armcortexm_3/encrypt.c
+++ b/knot/Implementations/crypto_aead/knot128v2/armcortexm_3/encrypt.c
@@ -25,14 +25,14 @@ unsigned char  constant7Format[127] = {
 s[0] ^= (constant7Format[lunNum] >> 6) & 0x3;\
 s[1] ^= (constant7Format[lunNum] >> 3) & 0x7;\
 s[2] ^= constant7Format[lunNum] & 0x7;\
-sbox(s[0], s[3], s[6], s[9] , s_temp[0], s_temp[3], s_temp[6], s_temp[9]);\
+sbox(s[0], s[3], s[6], s[9] , s_temp[3], s_temp[6], s_temp[9]);\
-sbox(s[1], s[4], s[7], s[10], s_temp[1], s_temp[4], s_temp[7], s_temp[10]);\
+sbox(s[1], s[4], s[7], s[10], s[3]     , s_temp[7], s_temp[10]);\
-sbox(s[2], s[5], s[8], s[11], s_temp[2], s_temp[5], s_temp[8], s_temp[11]);\
+sbox(s[2], s[5], s[8], s[11], s[4]     , s_temp[8], s_temp[11]);\
-s[0] = s_temp[0], s[1] = s_temp[1], s[2] = s_temp[2];\
+s[5] = LOTR32(s_temp[3], 1); \
-U96_BIT_LOTR32_1(s_temp[3], s_temp [4], s_temp[ 5], s[3],  s[4], s[5]);\
 U96_BIT_LOTR32_8(s_temp[6], s_temp [7], s_temp[ 8], s[6],  s[7], s[8]);\
 U96_BIT_LOTR32_55(s_temp[9], s_temp[10], s_temp[11], s[9], s[10], s[11]);\
 }
 int crypto_aead_encrypt(unsigned char *c, unsigned long long *clen,
 	const unsigned char *m, unsigned long long mlen,
 	const unsigned char *ad, unsigned long long adlen,
@@ -48,7 +48,6 @@ int crypto_aead_encrypt(unsigned char *c, unsigned long long *clen,
 	u32 temp0[3] = { 0 };
 	u32 temp1[3] = { 0 };
 	u32 temp2[3] = { 0 }; 
 	*clen = mlen + CRYPTO_ABYTES;
 	// initialization
 	packU96FormatToThreePacket(s, npub);
@@ -63,7 +62,6 @@ int crypto_aead_encrypt(unsigned char *c, unsigned long long *clen,
 	}
 	// process associated data
 	if (adlen) {
-		//	rlen = adlen;
 		while (adlen >= aead_RATE) {
 			packU96FormatToThreePacket(dataFormat, ad);
 			s[0] ^= dataFormat[0];
@@ -96,7 +94,6 @@ int crypto_aead_encrypt(unsigned char *c, unsigned long long *clen,
 	}
 	s[9] ^= 0x80000000;
 	if (mlen) {
-		//rlen = mlen;
 		while (mlen >= aead_RATE) {
 			packU96FormatToThreePacket(dataFormat, m);
 			s[0] ^= dataFormat[0];
@@ -138,7 +135,6 @@ int crypto_aead_encrypt(unsigned char *c, unsigned long long *clen,
 	// return tag
 	unpackU96FormatToThreePacket(c, s);
 	unpackU96FormatToThreePacket(tempData, (s + 3));
 	memcpy(c+12, tempData, sizeof(unsigned char) * 4);
 	return 0;
 }
@@ -175,7 +171,6 @@ int crypto_aead_decrypt(unsigned char *m, unsigned long long *mlen,
 	}
 	// process associated data
 	if (adlen) {
-		//	rlen = adlen;
 		while (adlen >= aead_RATE) {
 			packU96FormatToThreePacket(dataFormat, ad);
 			s[0] ^= dataFormat[0];
@@ -249,14 +244,12 @@ int crypto_aead_decrypt(unsigned char *m, unsigned long long *mlen,
 	for (i = 0; i < PRF_ROUNDS; i++) {
 		ROUND384(i);
 	}
-	// return tag	
+	// return tag		
 	unpackU96FormatToThreePacket(tempU8, s);
-	unpackU96FormatToThreePacket((tempU8+12), (s+3));
+	unpackU96FormatToThreePacket((tempU8 + 12), (s + 3));
-	if (U32BIG(((u32*)tempU8)[0]) != U32BIG(((u32*)c)[0]) ||
+	if (memcmp((void*)tempU8, (void*)c, CRYPTO_ABYTES)) {
-		U32BIG(((u32*)tempU8)[1]) != U32BIG(((u32*)c)[1]) || 
+		*mlen = 0;
-		U32BIG(((u32*)tempU8)[2]) != U32BIG(((u32*)c)[2]) || 
+		memset(m, 0, sizeof(unsigned char) * (clen - CRYPTO_ABYTES));
-		U32BIG(((u32*)tempU8)[3]) != U32BIG(((u32*)c)[3]) ){
 		return -1;
 	}
 	return 0;

--- a/knot/Implementations/crypto_aead/knot192/armcortexm_3/auxFormat.h
+++ b/knot/Implementations/crypto_aead/knot192/armcortexm_3/auxFormat.h
 #include"crypto_aead.h"
 #include"api.h"
 #include  <string.h>
@@ -17,9 +17,9 @@ typedef unsigned long long u64;
 #define ARR_SIZE(a) (sizeof((a))/sizeof((a[0])))
-#define sbox(a, b, c, d, e, f, g, h)                                                                            \
+#define sbox(a, b, c, d,  f, g, h) \
-{                                                                                                                             \
+{  \
-	t1 = ~a; t2 = b & t1;t3 = c ^ t2; h = d ^ t3; t5 = b | c; t6 = d ^ t1; g = t5 ^ t6; t8 = b ^ d; t9 = t3 & t6; e = t8 ^ t9; t11 = g & t8; f = t3 ^ t11; \
+	t1 = ~a; t2 = b & t1;t3 = c ^ t2; h = d ^ t3; t5 = b | c; t6 = d ^ t1; g = t5 ^ t6; t8 = b ^ d; t9 = t3 & t6; a = t8 ^ t9; t11 = g & t8; f = t3 ^ t11; \
 }
 #define puckU32ToThree(x){\
@@ -35,7 +35,7 @@ x = (x | (x >> 16)) & 0xff0000ff;\
 x = (x | (x >> 8)) & 0xf00f00f0;\
 x = (x | (x >> 4)) & 0xc30c30c3;\
 x = (x | (x >> 2)) & 0x92492492;\
-}  
+} 
 #define packU48FormatToThreePacket(  out,  in) {\
 t1 = (u32)U16BIG(*(u16*)(in + 4));	\
 t2 = U32BIG(*(u32*)(in));	\
@@ -78,8 +78,8 @@ puckU32ToThree(temp2[2]);	\
 out[0] = (temp0[0]) | (temp1[0] >> 11) | (temp2[0] >> 22);	\
 out[1] = (temp0[1]) | (temp1[1] >> 11) | (((u32)t2_64) << 10) | (temp2[1] >> 22);	\
 out[2] = (temp0[2]) | (((u32)t1_32) << 21) | (temp1[2] >> 11) | (((u32)t2_65) << 10) | (temp2[2] >> 22);	\
-}
+} 
- #define unpackU96FormatToThreePacket( out, in) {\
+#define unpackU96FormatToThreePacket( out, in) {\
 temp0[0] = in[0] & 0xffe00000;	\
 temp1[0] = (in[0] & 0x001ffc00) << 11;	\
 temp2[0] = (in[0] & 0x000003ff) << 22;	\
@@ -108,18 +108,11 @@ t2 = t2_65 | t2_64 | ((temp2[0] | temp2[1] >> 1 | temp2[2] >> 2) >> 2);	\
 *(u32*)(out + 4) = U32BIG(t1);	\
 *(u32*)(out + 8) = U32BIG(t9);	\
 }
-#define U96_BIT_LOTR32_1(t0,t1,t2,t3,t4,t5){\
-t3= t1;\
-t4 = t2;\
-t5 = LOTR32(t0, 1); \
-}
 #define U96_BIT_LOTR32_8(t0,t1,t2,t3,t4,t5){\
 t3= LOTR32(t2, 2);\
 t4 =LOTR32(t0, 3);\
 t5 = LOTR32(t1, 3); \
-}
+} 
 #define U96_BIT_LOTR32_55(t0,t1,t2,t3,t4,t5){\
 t3= LOTR32(t1, 18); \
 t4 = LOTR32(t2, 18);\

--- a/knot/Implementations/crypto_aead/knot192/armcortexm_3/encrypt.c
+++ b/knot/Implementations/crypto_aead/knot192/armcortexm_3/encrypt.c
@@ -22,11 +22,10 @@ unsigned char  constant7Format[127] = {
 s[0] ^= (constant7Format[lunNum] >> 6) & 0x3;\
 s[1] ^= (constant7Format[lunNum] >> 3) & 0x7;\
 s[2] ^= constant7Format[lunNum] & 0x7;\
-sbox(s[0], s[3], s[6], s[9] , s_temp[0], s_temp[3], s_temp[6], s_temp[9]);\
+sbox(s[0], s[3], s[6], s[9] , s_temp[3], s_temp[6], s_temp[9]);\
-sbox(s[1], s[4], s[7], s[10], s_temp[1], s_temp[4], s_temp[7], s_temp[10]);\
+sbox(s[1], s[4], s[7], s[10], s[3]     , s_temp[7], s_temp[10]);\
-sbox(s[2], s[5], s[8], s[11], s_temp[2], s_temp[5], s_temp[8], s_temp[11]);\
+sbox(s[2], s[5], s[8], s[11], s[4]     , s_temp[8], s_temp[11]);\
-s[0] = s_temp[0], s[1] = s_temp[1], s[2] = s_temp[2];\
+s[5] = LOTR32(s_temp[3], 1); \
-U96_BIT_LOTR32_1(s_temp[3], s_temp [4], s_temp[ 5], s[3],  s[4], s[5]);\
 U96_BIT_LOTR32_8(s_temp[6], s_temp [7], s_temp[ 8], s[6],  s[7], s[8]);\
 U96_BIT_LOTR32_55(s_temp[9], s_temp[10], s_temp[11], s[9], s[10], s[11]);\
 }
@@ -57,7 +56,6 @@ int crypto_aead_encrypt(unsigned char *c, unsigned long long *clen,
 	}
 	// process associated data
 	if (adlen) {
-		//	rlen = adlen;
 		while (adlen >= aead_RATE) {
 			packU96FormatToThreePacket(dataFormat, ad);
 			s[0] ^= dataFormat[0];
@@ -81,8 +79,7 @@ int crypto_aead_encrypt(unsigned char *c, unsigned long long *clen,
 		}
 	}
 	s[9] ^= 0x80000000;
-	if (mlen) {
+	if (mlen) { 
-		//rlen = mlen;
 		while (mlen >= aead_RATE) {
 			packU96FormatToThreePacket(dataFormat, m);
 			s[0] ^= dataFormat[0];
@@ -146,7 +143,6 @@ int crypto_aead_decrypt(unsigned char *m, unsigned long long *mlen,
 	}
 	// process associated data
 	if (adlen) {
-		//	rlen = adlen;
 		while (adlen >= aead_RATE) {
 			packU96FormatToThreePacket(dataFormat, ad);
 			s[0] ^= dataFormat[0];
@@ -203,12 +199,12 @@ int crypto_aead_decrypt(unsigned char *m, unsigned long long *mlen,
 		ROUND384(i);
 	}
 	// return tag	
-	packU96FormatToThreePacket(dataFormat, c);
+	unpackU96FormatToThreePacket(tempU8, s);
-	packU96FormatToThreePacket((dataFormat + 3), (c + 12));
+	unpackU96FormatToThreePacket((tempU8 + 12), (s + 3));
-	if (dataFormat[0] != s[0] || dataFormat[1] != s[1] || dataFormat[2] != s[2] || dataFormat[3] != s[3]
+	if (memcmp((void*)tempU8, (void*)c, CRYPTO_ABYTES)) {
-		|| dataFormat[4] != s[4] || dataFormat[5] != s[5]) {
+		*mlen = 0;
+		memset(m, 0, sizeof(unsigned char) * (clen - CRYPTO_ABYTES));
 		return -1;
 	}
-	//////////
 	return 0;
 }
--- a/knot/Implementations/crypto_aead/knot256/armcortexm_3/api.h
+++ b/knot/Implementations/crypto_aead/knot256/armcortexm_3/api.h
-#define CRYPTO_KEYBYTES 32  
+#define CRYPTO_KEYBYTES 32  //256/8=32
 #define CRYPTO_NSECBYTES 0
 #define CRYPTO_NPUBBYTES 32
 #define CRYPTO_ABYTES 32
 #define CRYPTO_NOOVERLAP 1
--- a/knot/Implementations/crypto_aead/knot256/armcortexm_3/auxFormat.h
+++ b/knot/Implementations/crypto_aead/knot256/armcortexm_3/auxFormat.h
 #include"crypto_aead.h"
 #include"api.h"
 #include  <string.h>
@@ -9,17 +9,18 @@
 #define LOTR32(x,n) (((x)<<(n))|((x)>>(32-(n))))
-#define sbox(a, b, c, d, e, f, g, h)                                                                            \
+#define sbox(a, b, c, d,  f, g, h) \
-{                                                                                                                             \
+{  \
-	t1 = ~a; t2 = b & t1;t3 = c ^ t2; h = d ^ t3; t5 = b | c; t6 = d ^ t1; g = t5 ^ t6; t8 = b ^ d; t9 = t3 & t6; e = t8 ^ t9; t11 = g & t8; f = t3 ^ t11; \
+	t1 = ~a; t2 = b & t1;t3 = c ^ t2; h = d ^ t3; t5 = b | c; t6 = d ^ t1; g = t5 ^ t6; t8 = b ^ d; t9 = t3 & t6; a = t8 ^ t9; t11 = g & t8; f = t3 ^ t11; \
 }
 typedef unsigned char u8;
 typedef unsigned int u32;
 typedef unsigned long long u64;
 void printU8(char name[], u8 var[], long len, int offset);
+// t9
 #define puck32(in)\
 {\
 t9 = (in ^ (in >> 1)) & 0x22222222; in ^= t9 ^ (t9 << 1);\
@@ -27,14 +28,14 @@ t9 = (in ^ (in >> 2)) & 0x0C0C0C0C; in ^= t9 ^ (t9 << 2);\
 t9 = (in ^ (in >> 4)) & 0x00F000F0; in ^= t9 ^ (t9 << 4);\
 t9 = (in ^ (in >> 8)) & 0x0000FF00; in ^= t9 ^ (t9 << 8);\
 }
+// t9
 #define unpuck32(t0){\
 	t9 = (t0 ^ (t0 >> 8)) & 0x0000FF00, t0 ^= t9 ^ (t9 << 8); \
 	t9 = (t0 ^ (t0 >> 4)) & 0x00F000F0, t0 ^= t9 ^ (t9 << 4); \
 	t9 = (t0 ^ (t0 >> 2)) & 0x0C0C0C0C, t0 ^= t9 ^ (t9 << 2); \
 	t9 = (t0 ^ (t0 >> 1)) & 0x22222222, t0 ^= t9 ^ (t9 << 1); \
 }
+//u32 t1, t2, t3,t8, 
 #define packU128FormatToFourPacket(out,in) {\
 	     t8 = U32BIG(((u32*)in)[0]);	\
 		 t1 = U32BIG(((u32*)in)[1]);	\
@@ -49,9 +50,8 @@ t9 = (in ^ (in >> 8)) & 0x0000FF00; in ^= t9 ^ (t9 << 8);\
 		out[1] = ((t3 << 16) & 0xff000000) | ((t2 << 8) & 0x00ff0000) | (t1 & 0x0000ff00) | ((t8 >> 8) & 0x000000ff);	\
 		out[0] = ((t3 << 24) & 0xff000000) | ((t2 << 16) & 0x00ff0000) | ((t1 << 8) & 0x0000ff00) | (t8 & 0x000000ff);	\
 }
+//u32 u32 t1, t2, t3,t8, 
-#define unpackU128FormatToFourPacket( out,  in) {\
+#define unpackU128FormatToFourPacket( out,  dataFormat) {\
-memcpy(dataFormat, in, sizeof(unsigned int) * 4);	\
 t3 = dataFormat[3] & 0xff000000 | ((dataFormat[2] >> 8) & 0x00ff0000) | ((dataFormat[1] >> 16) & 0x0000ff00) | (dataFormat[0] >> 24);	\
 t2 = ((dataFormat[3] << 8) & 0xff000000) | (dataFormat[2] & 0x00ff0000) | ((dataFormat[1] >> 8) & 0x0000ff00) | ((dataFormat[0] >> 16) & 0x000000ff);	\
 t1 = ((dataFormat[3] << 16) & 0xff000000) | ((dataFormat[2] << 8) & 0x00ff0000) | (dataFormat[1] & 0x0000ff00) | ((dataFormat[0] >> 8) & 0x000000ff);	\
@@ -65,7 +65,6 @@ unpuck32(t3); unpuck32(t3);	\
 ((u32*)out)[2] = U32BIG(t2);	\
 ((u32*)out)[3] = U32BIG(t3);	\
 }
 #define packU64FormatToFourPacket(  out,   in) {\
 t1 = U32BIG(((u32*)in)[0]);	\
 t2 = U32BIG(((u32*)in)[1]);	\
@@ -77,13 +76,7 @@ out[3] = ((t2 >> 16) & 0x0000ff00) | ((t1 >> 24));	\
 out[2] = ((t2 >> 8) & 0x0000ff00) | ((t1 >> 16) & 0x000000ff);	\
 out[1] = (t2 & 0x0000ff00) | ((t1 >> 8) & 0x000000ff);	\
 out[0] = ((t2 << 8) & 0x0000ff00) | (t1 & 0x000000ff);	\
-}
+} 
-#define BIT_LOTR32_1(t0,t1,t2,t3,t4,t5,t6,t7){\
-t4= LOTR32(t3, 1);\
-t5 = t0;\
-t6 = t1; \
-t7 = t2; \
-}
 #define BIT_LOTR32_16(t0,t1,t2,t3,t4,t5,t6,t7){\
 t4= LOTR32(t0, 4);\
 t5 = LOTR32(t1, 4);\
@@ -102,12 +95,11 @@ s[3] ^= (arr[lunNum] >> 6) & 0x3;\
 s[2] ^= (arr[lunNum] >> 4) & 0x3;\
 s[1] ^= (arr[lunNum] >> 2) & 0x3;\
 s[0] ^= arr[lunNum] & 0x3;\
-sbox(s[0], s[4], s[8], s[12], s_temp[0], s_temp[4], s_temp[8], s_temp[12]);\
+sbox(s[3], s[7], s[11], s[15],  s_temp[7], s_temp[11], s_temp[15]);\
-sbox(s[1], s[5], s[9], s[13], s_temp[1], s_temp[5], s_temp[9], s_temp[13]);\
+sbox(s[2], s[6], s[10], s[14],  s[7]     , s_temp[10], s_temp[14]);\
-sbox(s[2], s[6], s[10], s[14], s_temp[2], s_temp[6], s_temp[10], s_temp[14]);\
+sbox(s[1], s[5], s[9],  s[13],  s[6]     , s_temp[9], s_temp[13]);\
-sbox(s[3], s[7], s[11], s[15], s_temp[3], s_temp[7], s_temp[11], s_temp[15]);\
+sbox(s[0], s[4], s[8],  s[12],  s[5]     , s_temp[8], s_temp[12]);\
-s[0] = s_temp[0], s[1] = s_temp[1], s[2] = s_temp[2], s[3] = s_temp[3];\
+s[4]= LOTR32(s_temp[7], 1);\
-BIT_LOTR32_1(s_temp[4], s_temp[5], s_temp[6], s_temp[7], s[4], s[5], s[6], s[7]);\
 BIT_LOTR32_16(s_temp[8], s_temp[9], s_temp[10], s_temp[11], s[8], s[9], s[10], s[11]);\
 BIT_LOTR32_25(s_temp[12], s_temp[13], s_temp[14], s_temp[15], s[12], s[13], s[14], s[15]);\
 }

--- a/knot/Implementations/crypto_aead/knot256/armcortexm_3/encrypt.c
+++ b/knot/Implementations/crypto_aead/knot256/armcortexm_3/encrypt.c
@@ -146,10 +146,9 @@ int crypto_aead_encrypt(
 	const unsigned char *npub,
 	const unsigned char *k
 ) {
-	u32 i, j;
+	u32 i ;
 	u32 s_temp[16] = { 0 };
 	u32 t1, t2, t3, t5, t6, t8, t9, t11;
-	// initialization
 	u32 s[16] = { 0 };
 	u32 dataFormat[4] = { 0 };
 	u8 tempData[16] = {0};
@@ -236,10 +235,9 @@ int crypto_aead_decrypt(
 ){
 	u32 s_temp[16] = { 0 };
 	u32 t1, t2, t3, t5, t6, t8, t9, t11;
-	u8 i, j;
+	u8 i ;
 	// initialization
 	u32 s[16] = { 0 };
-	u32 dataFormat[4] = { 0 };
 	u32 dataFormat_1[4] = { 0 };
 	u32 dataFormat_2[4] = { 0 };
 	u8 tempData[16] = { 0 };
@@ -259,11 +257,11 @@ int crypto_aead_decrypt(
 	// process associated data
 	if (adlen) {
 		while (adlen >= aead_RATE) {
-			packU128FormatToFourPacket(dataFormat, ad);
+			packU128FormatToFourPacket(dataFormat_2, ad);
-			s[0] ^= dataFormat[0];
+			s[0] ^= dataFormat_2[0];
-			s[1] ^= dataFormat[1];
+			s[1] ^= dataFormat_2[1];
-			s[2] ^= dataFormat[2];
+			s[2] ^= dataFormat_2[2];
-			s[3] ^= dataFormat[3];
+			s[3] ^= dataFormat_2[3];
 			for (i = 0; i < PR_ROUNDS; i++) {
 				ROUND512(constant7Format_aead, i);
 			}
@@ -274,11 +272,11 @@ int crypto_aead_decrypt(
 		memcpy(tempData, ad, adlen * sizeof(unsigned char));
 		tempData[adlen] = 0x01;
-		packU128FormatToFourPacket(dataFormat, tempData);
+		packU128FormatToFourPacket(dataFormat_2, tempData);
-		s[0] ^= dataFormat[0];
+		s[0] ^= dataFormat_2[0];
-		s[1] ^= dataFormat[1];
+		s[1] ^= dataFormat_2[1];
-		s[2] ^= dataFormat[2];
+		s[2] ^= dataFormat_2[2];
-		s[3] ^= dataFormat[3];
+		s[3] ^= dataFormat_2[3];
 		for (i = 0; i < PR_ROUNDS; i++) {
 			ROUND512(constant7Format_aead, i);
 		}
@@ -319,12 +317,12 @@ int crypto_aead_decrypt(
 		ROUND512(constant7Format_aead, i);
 	}
 	// return tag	
-	packU128FormatToFourPacket(dataFormat, c);
+	unpackU128FormatToFourPacket(tempU8, s);
-	packU128FormatToFourPacket(dataFormat_1, (c + 16));
+	unpackU128FormatToFourPacket((tempU8 + 16), (s + 4));
-	if (dataFormat[0] != s[0] || dataFormat[1] != s[1] || dataFormat[2] != s[2] || dataFormat[3] != s[3]
+	if (memcmp((void*)tempU8, (void*)c, CRYPTO_ABYTES)) {
-		|| dataFormat_1[0] != s[4] || dataFormat_1[1] != s[5] || dataFormat_1[2] != s[6] || dataFormat_1[3] != s[7]) {
+		*mlen = 0;
+		memset(m, 0, sizeof(unsigned char) * (clen - CRYPTO_ABYTES));
 		return -1;
 	}
 	return 0;
 }
\ No newline at end of file