Skip to content

lwc / candidates

Go to a project
Commit c1ed6960 by Olivier Bronchain Committed by Enrico Pozzobon
Options

spook

parent 4f2227ae
Expand all
Inline Side-by-side
Showing with 4790 additions and 0 deletions
spook/Implementations/crypto_aead/spook128mu384v2/LWC_AEAD_KAT_256_128.txt 0 → 100644
This source diff could not be displayed because it is too large. You can view the blob instead.
spook/Implementations/crypto_aead/spook128mu384v2/opt_c/COPYING 0 → 100644
Creative Commons Legal Code
CC0 1.0 Universal
CREATIVE COMMONS CORPORATION IS NOT A LAW FIRM AND DOES NOT PROVIDE
LEGAL SERVICES. DISTRIBUTION OF THIS DOCUMENT DOES NOT CREATE AN
ATTORNEY-CLIENT RELATIONSHIP. CREATIVE COMMONS PROVIDES THIS
INFORMATION ON AN "AS-IS" BASIS. CREATIVE COMMONS MAKES NO WARRANTIES
REGARDING THE USE OF THIS DOCUMENT OR THE INFORMATION OR WORKS
PROVIDED HEREUNDER, AND DISCLAIMS LIABILITY FOR DAMAGES RESULTING FROM
THE USE OF THIS DOCUMENT OR THE INFORMATION OR WORKS PROVIDED
HEREUNDER.
Statement of Purpose
The laws of most jurisdictions throughout the world automatically confer
exclusive Copyright and Related Rights (defined below) upon the creator
and subsequent owner(s) (each and all, an "owner") of an original work of
authorship and/or a database (each, a "Work").
Certain owners wish to permanently relinquish those rights to a Work for
the purpose of contributing to a commons of creative, cultural and
scientific works ("Commons") that the public can reliably and without fear
of later claims of infringement build upon, modify, incorporate in other
works, reuse and redistribute as freely as possible in any form whatsoever
and for any purposes, including without limitation commercial purposes.
These owners may contribute to the Commons to promote the ideal of a free
culture and the further production of creative, cultural and scientific
works, or to gain reputation or greater distribution for their Work in
part through the use and efforts of others.
For these and/or other purposes and motivations, and without any
expectation of additional consideration or compensation, the person
associating CC0 with a Work (the "Affirmer"), to the extent that he or she
is an owner of Copyright and Related Rights in the Work, voluntarily
elects to apply CC0 to the Work and publicly distribute the Work under its
terms, with knowledge of his or her Copyright and Related Rights in the
Work and the meaning and intended legal effect of CC0 on those rights.
1. Copyright and Related Rights. A Work made available under CC0 may be
protected by copyright and related or neighboring rights ("Copyright and
Related Rights"). Copyright and Related Rights include, but are not
limited to, the following:
i. the right to reproduce, adapt, distribute, perform, display,
communicate, and translate a Work;
ii. moral rights retained by the original author(s) and/or performer(s);
iii. publicity and privacy rights pertaining to a person's image or
likeness depicted in a Work;
iv. rights protecting against unfair competition in regards to a Work,
subject to the limitations in paragraph 4(a), below;
v. rights protecting the extraction, dissemination, use and reuse of data
in a Work;
vi. database rights (such as those arising under Directive 96/9/EC of the
European Parliament and of the Council of 11 March 1996 on the legal
protection of databases, and under any national implementation
thereof, including any amended or successor version of such
directive); and
vii. other similar, equivalent or corresponding rights throughout the
world based on applicable law or treaty, and any national
implementations thereof.
2. Waiver. To the greatest extent permitted by, but not in contravention
of, applicable law, Affirmer hereby overtly, fully, permanently,
irrevocably and unconditionally waives, abandons, and surrenders all of
Affirmer's Copyright and Related Rights and associated claims and causes
of action, whether now known or unknown (including existing as well as
future claims and causes of action), in the Work (i) in all territories
worldwide, (ii) for the maximum duration provided by applicable law or
treaty (including future time extensions), (iii) in any current or future
medium and for any number of copies, and (iv) for any purpose whatsoever,
including without limitation commercial, advertising or promotional
purposes (the "Waiver"). Affirmer makes the Waiver for the benefit of each
member of the public at large and to the detriment of Affirmer's heirs and
successors, fully intending that such Waiver shall not be subject to
revocation, rescission, cancellation, termination, or any other legal or
equitable action to disrupt the quiet enjoyment of the Work by the public
as contemplated by Affirmer's express Statement of Purpose.
3. Public License Fallback. Should any part of the Waiver for any reason
be judged legally invalid or ineffective under applicable law, then the
Waiver shall be preserved to the maximum extent permitted taking into
account Affirmer's express Statement of Purpose. In addition, to the
extent the Waiver is so judged Affirmer hereby grants to each affected
person a royalty-free, non transferable, non sublicensable, non exclusive,
irrevocable and unconditional license to exercise Affirmer's Copyright and
Related Rights in the Work (i) in all territories worldwide, (ii) for the
maximum duration provided by applicable law or treaty (including future
time extensions), (iii) in any current or future medium and for any number
of copies, and (iv) for any purpose whatsoever, including without
limitation commercial, advertising or promotional purposes (the
"License"). The License shall be deemed effective as of the date CC0 was
applied by Affirmer to the Work. Should any part of the License for any
reason be judged legally invalid or ineffective under applicable law, such
partial invalidity or ineffectiveness shall not invalidate the remainder
of the License, and in such case Affirmer hereby affirms that he or she
will not (i) exercise any of his or her remaining Copyright and Related
Rights in the Work or (ii) assert any associated claims and causes of
action with respect to the Work, in either case contrary to Affirmer's
express Statement of Purpose.
4. Limitations and Disclaimers.
a. No trademark or patent rights held by Affirmer are waived, abandoned,
surrendered, licensed or otherwise affected by this document.
b. Affirmer offers the Work as-is and makes no representations or
warranties of any kind concerning the Work, express, implied,
statutory or otherwise, including without limitation warranties of
title, merchantability, fitness for a particular purpose, non
infringement, or the absence of latent or other defects, accuracy, or
the present or absence of errors, whether or not discoverable, all to
the greatest extent permissible under applicable law.
c. Affirmer disclaims responsibility for clearing rights of other persons
that may apply to the Work or any use thereof, including without
limitation any person's Copyright and Related Rights in the Work.
Further, Affirmer disclaims responsibility for obtaining any necessary
consents, permissions or other rights required for any use of the
Work.
d. Affirmer understands and acknowledges that Creative Commons is not a
party to this document and has no duty or obligation with respect to
this CC0 or use of the Work.
spook/Implementations/crypto_aead/spook128mu384v2/opt_c/api.h 0 → 100644
#include "parameters.h"
#define CRYPTO_KEYBYTES KEYBYTES
#define CRYPTO_NPUBBYTES 16
#define CRYPTO_NSECBYTES 0
#define CRYPTO_ABYTES 16
#define CRYPTO_NOOVERLAP 1
spook/Implementations/crypto_aead/spook128mu384v2/opt_c/clyde_32bit.c 0 → 100644
/* MIT License
*
* Copyright (c) 2019 Gaëtan Cassiers Olivier Bronchain
*
* Permission is hereby granted, free of charge, to any person obtaining a copy
* of this software and associated documentation files (the "Software"), to deal
* in the Software without restriction, including without limitation the rights
* to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
* copies of the Software, and to permit persons to whom the Software is
* furnished to do so, subject to the following conditions:
*
* The above copyright notice and this permission notice shall be included in all
* copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
* IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
* AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
* LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
* OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
* SOFTWARE.
*/
#include <string.h>
#include <stdint.h>
#include "primitives.h"
#include "primitives.c"
#define CLYDE_128_NS 6 // Number of steps
#define CLYDE_128_NR 2 * CLYDE_128_NS // Number of rounds
#define XORLS(DEST, OP) do { \
(DEST)[0] ^= (OP)[0]; \
(DEST)[1] ^= (OP)[1]; \
(DEST)[2] ^= (OP)[2]; \
(DEST)[3] ^= (OP)[3]; } while (0)
#define XORCST(DEST, LFSR) do { \
(DEST)[0] ^= ((LFSR)>>3 & 0x1); \
(DEST)[1] ^= ((LFSR)>>2 & 0x1); \
(DEST)[2] ^= ((LFSR)>>1 & 0x1); \
(DEST)[3] ^= ((LFSR) & 0x1); } while (0)
void clyde128_encrypt(clyde128_state state, const clyde128_state t, const unsigned char* k) {
// Key schedule
clyde128_state k_st;
memcpy(k_st, k, CLYDE128_NBYTES);
clyde128_state tk[3] = {
{ t[0], t[1], t[2], t[3] },
{ t[0] ^ t[2], t[1] ^ t[3], t[0], t[1] },
{ t[2], t[3], t[0] ^ t[2], t[1] ^ t[3] }
};
XORLS(tk[0], k_st);
XORLS(tk[1], k_st);
XORLS(tk[2], k_st);
// Datapath
XORLS(state, tk[0]);
uint32_t off = 0x924; // 2-bits describing the round key
uint32_t lfsr = 0x8; // LFSR for round constant
for (uint32_t s = 0; s < CLYDE_128_NS; s++) {
sbox_layer(state);
lbox(&state[0], &state[1]);
lbox(&state[2], &state[3]);
XORCST(state,lfsr);
uint32_t b = lfsr & 0x1;
lfsr = (lfsr^(b<<3) | b<<4)>>1; // update LFSR
sbox_layer(state);
lbox(&state[0], &state[1]);
lbox(&state[2], &state[3]);
XORCST(state,lfsr);
b = lfsr & 0x1;
lfsr = (lfsr^(b<<3) | b<<4)>>1; // update LFSR
off >>=2;
XORLS(state, tk[off&0x03]);
}
}
spook/Implementations/crypto_aead/spook128mu384v2/opt_c/crypto_aead.h 0 → 100644
int crypto_aead_encrypt(unsigned char* c, unsigned long long* clen,
const unsigned char* m, unsigned long long mlen,
const unsigned char* ad, unsigned long long adlen,
const unsigned char* nsec, const unsigned char* npub,
const unsigned char* k);
int crypto_aead_decrypt(unsigned char* m, unsigned long long* mlen,
unsigned char* nsec, const unsigned char* c,
unsigned long long clen, const unsigned char* ad,
unsigned long long adlen, const unsigned char* npub,
const unsigned char* k);
spook/Implementations/crypto_aead/spook128mu384v2/opt_c/encrypt.c 0 → 100644
/* Spook Reference Implementation v1
*
* Written in 2019 at UCLouvain (Belgium) by Olivier Bronchain, Gaetan Cassiers
* and Charles Momin.
* To the extent possible under law, the author(s) have dedicated all copyright
* and related and neighboring rights to this software to the public domain
* worldwide. This software is distributed without any warranty.
*
* You should have received a copy of the CC0 Public Domain Dedication along with
* this software. If not, see <http://creativecommons.org/publicdomain/zero/1.0/>.
*/
#include "crypto_aead.h"
#include "s1p.h"
#ifdef __GNUC__
#define UNUSED __attribute__((unused))
#else
#define UNUSED
#endif
// Spook encryption.
int crypto_aead_encrypt(unsigned char* c, unsigned long long* clen,
const unsigned char* m, unsigned long long mlen,
const unsigned char* ad, unsigned long long adlen,
const unsigned char* nsec UNUSED,
const unsigned char* npub, const unsigned char* k) {
unsigned char p[P_NBYTES];
const unsigned char* k_priv;
init_keys(&k_priv, p, k);
s1p_encrypt(c, clen, ad, adlen, m, mlen, k_priv, p, npub);
return 0;
}
// Spook encryption.
int crypto_aead_decrypt(unsigned char* m, unsigned long long* mlen,
unsigned char* nsec UNUSED, const unsigned char* c,
unsigned long long clen, const unsigned char* ad,
unsigned long long adlen, const unsigned char* npub,
const unsigned char* k) {
unsigned char p[P_NBYTES];
const unsigned char* k_priv;
init_keys(&k_priv, p, k);
return s1p_decrypt(m, mlen, ad, adlen, c, clen, k_priv, p, npub);
}
spook/Implementations/crypto_aead/spook128mu384v2/opt_c/iacaMarks.h 0 → 100644
/*
* Copyright (2008-2009) Intel Corporation All Rights Reserved.
* The source code contained or described herein and all documents
* related to the source code ("Material") are owned by Intel Corporation
* or its suppliers or licensors. Title to the Material remains with
* Intel Corporation or its suppliers and licensors. The Material
* contains trade secrets and proprietary and confidential information
* of Intel or its suppliers and licensors. The Material is protected
* by worldwide copyright and trade secret laws and treaty provisions.
* No part of the Material may be used, copied, reproduced, modified,
* published, uploaded, posted, transmitted, distributed, or disclosed
* in any way without Intel(R)s prior express written permission.
*
* No license under any patent, copyright, trade secret or other
* intellectual property right is granted to or conferred upon you by
* disclosure or delivery of the Materials, either expressly, by implication,
* inducement, estoppel or otherwise. Any license under such intellectual
* property rights must be express and approved by Intel in writing.
*/
#if defined (__GNUC__)
#define IACA_SSC_MARK( MARK_ID ) \
__asm__ __volatile__ ( \
"\n\t movl $"#MARK_ID", %%ebx" \
"\n\t .byte 0x64, 0x67, 0x90" \
: : : "memory" );
#else
#define IACA_SSC_MARK(x) {__asm mov ebx, x\
__asm _emit 0x64 \
__asm _emit 0x67 \
__asm _emit 0x90 }
#endif
#define IACA_START {IACA_SSC_MARK(111)}
#define IACA_END {IACA_SSC_MARK(222)}
#ifdef _WIN64
#include <intrin.h>
#define IACA_VC64_START __writegsbyte(111, 111);
#define IACA_VC64_END __writegsbyte(222, 222);
#endif
/**************** asm *****************
;START_MARKER
mov ebx, 111
db 0x64, 0x67, 0x90
;END_MARKER
mov ebx, 222
db 0x64, 0x67, 0x90
**************************************/
spook/Implementations/crypto_aead/spook128mu384v2/opt_c/parameters.h 0 → 100644
/* Spook Reference Implementation v1
*
* Written in 2019 at UCLouvain (Belgium) by Olivier Bronchain, Gaetan Cassiers
* and Charles Momin.
* To the extent possible under law, the author(s) have dedicated all copyright
* and related and neighboring rights to this software to the public domain
* worldwide. This software is distributed without any warranty.
*
* You should have received a copy of the CC0 Public Domain Dedication along with
* this software. If not, see <http://creativecommons.org/publicdomain/zero/1.0/>.
*/
#ifndef _PARAMETERS_H_
#define _PARAMETERS_H_
#define MULTI_USER 1
#define SMALL_PERM 1
#if MULTI_USER
#define KEYBYTES 32
#else
#define KEYBYTES 16
#endif
#include "api.h"
#if (KEYBYTES != CRYPTO_KEYBYTES)
#error "Wrong parameters in api.h"
#endif
#endif //_PARAMETERS_H_
spook/Implementations/crypto_aead/spook128mu384v2/opt_c/primitives.c 0 → 100644
#include "primitives.h"
#ifdef SHADOW
static uint32_t lfsr_poly;
static uint32_t xtime_poly;
#endif
// Apply a S-box layer to a Clyde-128 state.
static void sbox_layer(uint32_t* state) {
uint32_t y1 = (state[0] & state[1]) ^ state[2];
uint32_t y0 = (state[3] & state[0]) ^ state[1];
uint32_t y3 = (y1 & state[3]) ^ state[0];
uint32_t y2 = (y0 & y1) ^ state[3];
state[0] = y0;
state[1] = y1;
state[2] = y2;
state[3] = y3;
}
// Apply a L-box to a pair of Clyde-128 rows.
static void lbox(uint32_t* x, uint32_t* y) {
uint32_t a, b, c, d;
a = *x ^ ROT32(*x, 12);
b = *y ^ ROT32(*y, 12);
a = a ^ ROT32(a, 3);
b = b ^ ROT32(b, 3);
a = a ^ ROT32(*x, 17);
b = b ^ ROT32(*y, 17);
c = a ^ ROT32(a, 31);
d = b ^ ROT32(b, 31);
a = a ^ ROT32(d, 26);
b = b ^ ROT32(c, 25);
a = a ^ ROT32(c, 15);
b = b ^ ROT32(d, 15);
*x = a;
*y = b;
}
#ifdef SHADOW
void set_poly_lfsr(uint32_t l){
lfsr_poly = l;
}
void set_poly_xtime(uint32_t l){
xtime_poly = l;
}
static uint32_t update_lfsr(uint32_t x) {
int32_t tmp1 = x;
uint32_t tmp = (tmp1 >>31) & lfsr_poly;
return (x<<1) ^ tmp;
}
static uint32_t xtime(uint32_t x) {
int32_t tmp1 = x;
uint32_t tmp = (tmp1 >>31) & xtime_poly;
return (x<<1) ^ tmp;
}
// Apply a D-box layer to a Shadow state.
static void dbox_mls_layer(shadow_state state,uint32_t *lfsr) {
for (unsigned int row = 0; row < LS_ROWS; row++) {
#if SMALL_PERM
uint32_t x1 = state[0][row];
uint32_t x2 = state[1][row];
uint32_t x3 = state[2][row];
uint32_t a = x1 ^ x3;
uint32_t b = a ^ x2;
uint32_t c = xtime(a) ^ (x1 ^ x2);
state[0][row] = a ^ c;
state[1][row] = b;
state[2][row] = c;
state[0][row] ^= *lfsr;
*lfsr = update_lfsr(*lfsr);
#else
state[0][row] ^= state[1][row];
state[2][row] ^= state[3][row];
state[1][row] ^= state[2][row];
state[3][row] ^= xtime(state[0][row]);
state[2][row] ^= xtime(state[3][row]);
state[1][row] = xtime(state[1][row]);
state[0][row] ^= state[1][row];
state[3][row] ^= state[0][row];
state[1][row] ^= state[2][row];
state[0][row] ^= *lfsr;
*lfsr = update_lfsr(*lfsr);
#endif // SMALL_PERM
}
}
#endif
spook/Implementations/crypto_aead/spook128mu384v2/opt_c/primitives.h 0 → 100644
/* Spook Reference Implementation v1
*
* Written in 2019 at UCLouvain (Belgium) by Olivier Bronchain, Gaetan Cassiers
* and Charles Momin.
* To the extent possible under law, the author(s) have dedicated all copyright
* and related and neighboring rights to this software to the public domain
* worldwide. This software is distributed without any warranty.
*
* You should have received a copy of the CC0 Public Domain Dedication along with
* this software. If not, see <http://creativecommons.org/publicdomain/zero/1.0/>.
*/
#ifndef _H_PRIMITIVES_H_
#define _H_PRIMITIVES_H_
#include <stdint.h>
#include "parameters.h"
#define CLYDE128_NBYTES 16
#define ROTL(x, n) ((x << n) | (x >> ((32-n) & 31)))
#ifndef SHCST
#define SHCST 1
#endif
#ifndef DBOX
#define DBOX 1
#endif
#if SMALL_PERM
#define SHADOW_NBYTES 48
#else
#define SHADOW_NBYTES 64
#endif // SMALL_PERM
#define LS_ROWS 4 // Rows in the LS design
#define LS_ROW_BYTES 4 // number of bytes per row in the LS design
#define MLS_BUNDLES \
(SHADOW_NBYTES / (LS_ROWS* LS_ROW_BYTES)) // Bundles in the mLS design
#define ROT32(x,n) ((uint32_t)(((x)>>(n))|((x)<<(32-(n)))))
typedef __attribute__((aligned(16))) uint32_t clyde128_state[LS_ROWS];
typedef __attribute__((aligned(64))) clyde128_state shadow_state[MLS_BUNDLES];
void clyde128_encrypt(clyde128_state state,
const clyde128_state t, const unsigned char* k);
void shadow(shadow_state state);
static void sbox_layer(uint32_t* state);
static void dbox_mls_layer(shadow_state state,uint32_t *lfsr);
static void lbox(uint32_t* x, uint32_t* y);
#endif //_H_PRIMITIVES_H_
spook/Implementations/crypto_aead/spook128mu384v2/opt_c/s1p.c 0 → 100644
/* MIT License
*
* Copyright (c) 2019 Gaëtan Cassiers
*
* Permission is hereby granted, free of charge, to any person obtaining a copy
* of this software and associated documentation files (the "Software"), to deal
* in the Software without restriction, including without limitation the rights
* to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
* copies of the Software, and to permit persons to whom the Software is
* furnished to do so, subject to the following conditions:
*
* The above copyright notice and this permission notice shall be included in all
* copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
* IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
* AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
* LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
* OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
* SOFTWARE.
*/
#include <stdlib.h>
#include <string.h>
#include <stdint.h>
#include "primitives.h"
#include "s1p.h"
#include "parameters.h"
#define CAPACITY_BYTES 32
#define RATE_BYTES (SHADOW_NBYTES - CAPACITY_BYTES)
#define RATE_BUNDLES (RATE_BYTES/(LS_ROWS*LS_ROW_BYTES))
// Working mode for block compression.
typedef enum {
AD,
PLAINTEXT,
CIPHERTEXT
} compress_mode;
static void compress_block(unsigned char *state, unsigned char *out,
const unsigned char *d, compress_mode mode,
unsigned long long offset, unsigned long long n);
static unsigned long long compress_data(shadow_state state,
unsigned char *out,
const unsigned char *d,
unsigned long long dlen,
compress_mode mode);
static void init_sponge_state(shadow_state state,
const unsigned char *k, const unsigned char *p,
const unsigned char *n);
static void xor_bytes(unsigned char* dest, const unsigned char* src1,
const unsigned char* src2, unsigned long long n);
void init_keys(const unsigned char **k, unsigned char p[P_NBYTES],
const unsigned char *k_glob) {
*k = k_glob;
#if MULTI_USER
memcpy(p, k_glob + CLYDE128_NBYTES, P_NBYTES);
p[P_NBYTES - 1] &= 0x7F; // set last p bit to 0
p[P_NBYTES - 1] |= 0x40; // set next to last p bit to 0
#else
memset(p, 0, P_NBYTES);
#endif // MULTI_USER
}
static void init_sponge_state(shadow_state state,
const unsigned char *k, const unsigned char *p,
const unsigned char *n) {
// init state
memset(state, 0, SHADOW_NBYTES);
memcpy(state[0], n, P_NBYTES);
memcpy(state[1], p, CRYPTO_NPUBBYTES);
memcpy(state[2], n, CRYPTO_NPUBBYTES);
clyde128_encrypt(state[0], state[1], k);
// initial permutation
shadow(state);
}
void s1p_encrypt(unsigned char *c, unsigned long long *clen,
const unsigned char *ad, unsigned long long adlen,
const unsigned char *m, unsigned long long mlen,
const unsigned char *k, const unsigned char *p,
const unsigned char *n) {
// permutation state
shadow_state state;
init_sponge_state(state, k, p, n);
// compress associated data
compress_data(state, NULL, ad, adlen, AD);
// compress message
unsigned long long c_bytes = 0;
if (mlen > 0) {
state[RATE_BUNDLES][0] ^= 0x01;
c_bytes = compress_data(state, c, m, mlen, PLAINTEXT);
}
// tag
state[1][LS_ROWS- 1] |= 0x80000000;
clyde128_encrypt(state[0], state[1], k);
memcpy(c+c_bytes, state[0], CLYDE128_NBYTES);
*clen = c_bytes + CLYDE128_NBYTES;
}
int s1p_decrypt(unsigned char *m, unsigned long long *mlen,
const unsigned char *ad, unsigned long long adlen,
const unsigned char *c, unsigned long long clen,
const unsigned char *k, const unsigned char *p,
const unsigned char *n) {
// permutation state
shadow_state state;
init_sponge_state(state, k, p, n);
// compress associated data
compress_data(state, NULL, ad, adlen, AD);
// compress message
unsigned long long m_bytes = 0;
if (clen > CLYDE128_NBYTES) {
state[RATE_BUNDLES][0] ^= 0x01;
m_bytes = compress_data(state, m, c, clen - CLYDE128_NBYTES, CIPHERTEXT);
}
// tag verification
state[1][LS_ROWS- 1] |= 0x80000000;
clyde128_encrypt(state[0], state[1], k);
unsigned char *st0 = (unsigned char *) state[0];
int tag_ok = 1;
for (int i = 0; i < 4*LS_ROWS; i++) {
tag_ok &= (st0[i] == c[m_bytes+i]);
}
if (tag_ok) {
*mlen = m_bytes;
return 0;
} else {
// Reset output buffer to avoid unintended unauthenticated plaintext
// release.
memset(m, 0, clen - CLYDE128_NBYTES);
*mlen = 0;
return -1;
}
}
// Compress a block into the state. Length of the block is n and buffers are
// accessed starting at offset. Input block is d, output is written into
// buffer out if mode is PLAINTEXT or CIPHERTEXT.
// Only the XOR operation is performed, not XORing of padding constants.
static void compress_block(unsigned char *state, unsigned char *out,
const unsigned char *d, compress_mode mode,
unsigned long long offset, unsigned long long n) {
if (mode == CIPHERTEXT) {
xor_bytes(out + offset, state, d + offset, n);
memcpy(state, d + offset, n);
} else {
xor_bytes(state, state, d + offset, n);
if (mode == PLAINTEXT) {
memcpy(out + offset, state, n);
}
}
}
// Compress a block into the state (in duplex-sponge mode).
// Input data buffer is d with length dlen.
// Output is written into buffer out if mode is PLAINTEXT or CIPHERTEXT.
// Padding is handled if needed.
static unsigned long long compress_data(shadow_state state,
unsigned char *out,
const unsigned char *d,
unsigned long long dlen,
compress_mode mode) {
unsigned long long i;
for (i = 0; i < dlen / RATE_BYTES; i++) {
compress_block((uint8_t *)state, out, d, mode, i * RATE_BYTES, RATE_BYTES);
shadow(state);
}
int rem = dlen % RATE_BYTES;
if (rem != 0) {
compress_block((uint8_t *)state, out, d, mode, i * RATE_BYTES, rem);
((uint8_t *)state)[rem] ^= 0x01;
((uint8_t *)state)[RATE_BYTES] ^= 0x02;
shadow(state);
}
return i * RATE_BYTES + rem;
}
// XOR buffers src1 and src2 into buffer dest (all buffers contain n bytes).
void xor_bytes(unsigned char* dest, const unsigned char* src1,
const unsigned char* src2, unsigned long long n) {
for ( unsigned long long i = 0; i < n; i++) {
dest[i] = src1[i] ^ src2[i];
}
}
spook/Implementations/crypto_aead/spook128mu384v2/opt_c/s1p.h 0 → 100644
/* MIT License
*
* Copyright (c) 2019 Gaëtan Cassiers
*
* Permission is hereby granted, free of charge, to any person obtaining a copy
* of this software and associated documentation files (the "Software"), to deal
* in the Software without restriction, including without limitation the rights
* to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
* copies of the Software, and to permit persons to whom the Software is
* furnished to do so, subject to the following conditions:
*
* The above copyright notice and this permission notice shall be included in all
* copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
* IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
* AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
* LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
* OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
* SOFTWARE.
*/
#ifndef _H_S1P_H_
#define _H_S1P_H_
#include "parameters.h"
// Size of the P parameter
#define P_NBYTES 16
void s1p_encrypt(unsigned char *c, unsigned long long *clen,
const unsigned char *ad, unsigned long long adlen,
const unsigned char *m, unsigned long long mlen,
const unsigned char *k, const unsigned char *p,
const unsigned char *n);
int s1p_decrypt(unsigned char *m, unsigned long long *mlen,
const unsigned char *ad, unsigned long long adlen,
const unsigned char *c, unsigned long long clen,
const unsigned char *k, const unsigned char *p,
const unsigned char *n);
void init_keys(const unsigned char **k, unsigned char p[P_NBYTES],
const unsigned char *k_glob);
#endif //_H_S1P_H_
spook/Implementations/crypto_aead/spook128mu384v2/opt_c/shadow_32bit.c 0 → 100644
/* MIT
*
* Copyright (c) 2019 Gaëtan Cassiers
*
* Permission is hereby granted, free of charge, to any person obtaining a copy
* of this software and associated documentation files (the "Software"), to deal
* in the Software without restriction, including without limitation the rights
* to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
* copies of the Software, and to permit persons to whom the Software is
* furnished to do so, subject to the following conditions:
*
* The above copyright notice and this permission notice shall be included in all
* copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
* IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
* AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
* LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
* OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
* SOFTWARE.
*/
#include <string.h>
#include <stdint.h>
#include "primitives.h"
#define SHADOW
#include "primitives.c"
#define CLYDE_128_NS 6 // Number of steps
#define CLYDE_128_NR 2 * CLYDE_128_NS // Number of rounds
#define SHADOW_NS 6 // Number of steps
#define SHADOW_NR 2 * SHADOW_NS // Number of roundsv
void shadow(shadow_state state) {
uint32_t lfsr =0xf8737400; // LFSR for round constant
set_poly_xtime(0x101);
set_poly_lfsr(0xc5);
for (unsigned int s = 0; s < SHADOW_NS; s++) {
#pragma GCC unroll 0
for (unsigned int b = 0; b < MLS_BUNDLES; b++){
sbox_layer(state[b]);
lbox(&state[b][0], &state[b][1]);
lbox(&state[b][2], &state[b][3]);
state[b][1] ^= lfsr;
lfsr = update_lfsr(lfsr);
sbox_layer(state[b]);
}
dbox_mls_layer(state,&lfsr);
}
}
spook/Implementations/crypto_aead/spook128mu384v2/opt_c/utils.c 0 → 100644
/* Spook Reference Implementation v1
*
* Written in 2019 at UCLouvain (Belgium) by Olivier Bronchain, Gaetan Cassiers
* and Charles Momin.
* To the extent possible under law, the author(s) have dedicated all copyright
* and related and neighboring rights to this software to the public domain
* worldwide. This software is distributed without any warranty.
*
* You should have received a copy of the CC0 Public Domain Dedication along with
* this software. If not, see <http://creativecommons.org/publicdomain/zero/1.0/>.
*/
#include <stdint.h>
#include "utils.h"
// XOR buffers src1 and src2 into buffer dest (all buffers contain n bytes).
void xor_bytes(unsigned char* dest, const unsigned char* src1,
const unsigned char* src2, unsigned long long n) {
for (unsigned long long i = 0; i < n; i++) {
dest[i] = src1[i] ^ src2[i];
}
}
// Rotate right x by amount c.
// We use right rotation of integers for the lboxes while the specification
// tells left rotation of bitstrings due to the bitsting -> integer
// little-endian mapping used in Spook.
//uint32_t rotr(uint32_t x, unsigned int c) { return (x >> c) | (x << (32 - c)); }
// Convert 4 bytes into a uint32. Bytes are in little-endian.
uint32_t le32u_dec(const unsigned char bytes[4]) {
uint32_t res = 0;
for (unsigned int col = 0; col < 4; col++) {
res |= ((uint32_t)bytes[col]) << 8 * col;
}
return res;
}
// Convert a uint32 into 4 bytes. Bytes are in little-endian.
void le32u_enc(unsigned char bytes[4], uint32_t x) {
for (unsigned int i = 0; i < 4; i++) {
bytes[i] = x >> 8 * i;
}
}
spook/Implementations/crypto_aead/spook128mu384v2/opt_c/utils.h 0 → 100644
/* Spook Reference Implementation v1
*
* Written in 2019 at UCLouvain (Belgium) by Olivier Bronchain, Gaetan Cassiers
* and Charles Momin.
* To the extent possible under law, the author(s) have dedicated all copyright
* and related and neighboring rights to this software to the public domain
* worldwide. This software is distributed without any warranty.
*
* You should have received a copy of the CC0 Public Domain Dedication along with
* this software. If not, see <http://creativecommons.org/publicdomain/zero/1.0/>.
*/
#ifndef _H_UTILS_H_
#define _H_UTILS_H_
#include <stdint.h>
void xor_bytes(unsigned char* dest, const unsigned char* src1,
const unsigned char* src2, unsigned long long n);
//uint32_t rotr(uint32_t x, unsigned int c);
uint32_t le32u_dec(const unsigned char bytes[4]);
void le32u_enc(unsigned char bytes[4], uint32_t x);
#endif // _H_UTILS_H_
spook/Implementations/crypto_aead/spook128mu384v2/ref/COPYING 0 → 100644
Creative Commons Legal Code
CC0 1.0 Universal
CREATIVE COMMONS CORPORATION IS NOT A LAW FIRM AND DOES NOT PROVIDE
LEGAL SERVICES. DISTRIBUTION OF THIS DOCUMENT DOES NOT CREATE AN
ATTORNEY-CLIENT RELATIONSHIP. CREATIVE COMMONS PROVIDES THIS
INFORMATION ON AN "AS-IS" BASIS. CREATIVE COMMONS MAKES NO WARRANTIES
REGARDING THE USE OF THIS DOCUMENT OR THE INFORMATION OR WORKS
PROVIDED HEREUNDER, AND DISCLAIMS LIABILITY FOR DAMAGES RESULTING FROM
THE USE OF THIS DOCUMENT OR THE INFORMATION OR WORKS PROVIDED
HEREUNDER.
Statement of Purpose
The laws of most jurisdictions throughout the world automatically confer
exclusive Copyright and Related Rights (defined below) upon the creator
and subsequent owner(s) (each and all, an "owner") of an original work of
authorship and/or a database (each, a "Work").
Certain owners wish to permanently relinquish those rights to a Work for
the purpose of contributing to a commons of creative, cultural and
scientific works ("Commons") that the public can reliably and without fear
of later claims of infringement build upon, modify, incorporate in other
works, reuse and redistribute as freely as possible in any form whatsoever
and for any purposes, including without limitation commercial purposes.
These owners may contribute to the Commons to promote the ideal of a free
culture and the further production of creative, cultural and scientific
works, or to gain reputation or greater distribution for their Work in
part through the use and efforts of others.
For these and/or other purposes and motivations, and without any
expectation of additional consideration or compensation, the person
associating CC0 with a Work (the "Affirmer"), to the extent that he or she
is an owner of Copyright and Related Rights in the Work, voluntarily
elects to apply CC0 to the Work and publicly distribute the Work under its
terms, with knowledge of his or her Copyright and Related Rights in the
Work and the meaning and intended legal effect of CC0 on those rights.
1. Copyright and Related Rights. A Work made available under CC0 may be
protected by copyright and related or neighboring rights ("Copyright and
Related Rights"). Copyright and Related Rights include, but are not
limited to, the following:
i. the right to reproduce, adapt, distribute, perform, display,
communicate, and translate a Work;
ii. moral rights retained by the original author(s) and/or performer(s);
iii. publicity and privacy rights pertaining to a person's image or
likeness depicted in a Work;
iv. rights protecting against unfair competition in regards to a Work,
subject to the limitations in paragraph 4(a), below;
v. rights protecting the extraction, dissemination, use and reuse of data
in a Work;
vi. database rights (such as those arising under Directive 96/9/EC of the
European Parliament and of the Council of 11 March 1996 on the legal
protection of databases, and under any national implementation
thereof, including any amended or successor version of such
directive); and
vii. other similar, equivalent or corresponding rights throughout the
world based on applicable law or treaty, and any national
implementations thereof.
2. Waiver. To the greatest extent permitted by, but not in contravention
of, applicable law, Affirmer hereby overtly, fully, permanently,
irrevocably and unconditionally waives, abandons, and surrenders all of
Affirmer's Copyright and Related Rights and associated claims and causes
of action, whether now known or unknown (including existing as well as
future claims and causes of action), in the Work (i) in all territories
worldwide, (ii) for the maximum duration provided by applicable law or
treaty (including future time extensions), (iii) in any current or future
medium and for any number of copies, and (iv) for any purpose whatsoever,
including without limitation commercial, advertising or promotional
purposes (the "Waiver"). Affirmer makes the Waiver for the benefit of each
member of the public at large and to the detriment of Affirmer's heirs and
successors, fully intending that such Waiver shall not be subject to
revocation, rescission, cancellation, termination, or any other legal or
equitable action to disrupt the quiet enjoyment of the Work by the public
as contemplated by Affirmer's express Statement of Purpose.
3. Public License Fallback. Should any part of the Waiver for any reason
be judged legally invalid or ineffective under applicable law, then the
Waiver shall be preserved to the maximum extent permitted taking into
account Affirmer's express Statement of Purpose. In addition, to the
extent the Waiver is so judged Affirmer hereby grants to each affected
person a royalty-free, non transferable, non sublicensable, non exclusive,
irrevocable and unconditional license to exercise Affirmer's Copyright and
Related Rights in the Work (i) in all territories worldwide, (ii) for the
maximum duration provided by applicable law or treaty (including future
time extensions), (iii) in any current or future medium and for any number
of copies, and (iv) for any purpose whatsoever, including without
limitation commercial, advertising or promotional purposes (the
"License"). The License shall be deemed effective as of the date CC0 was
applied by Affirmer to the Work. Should any part of the License for any
reason be judged legally invalid or ineffective under applicable law, such
partial invalidity or ineffectiveness shall not invalidate the remainder
of the License, and in such case Affirmer hereby affirms that he or she
will not (i) exercise any of his or her remaining Copyright and Related
Rights in the Work or (ii) assert any associated claims and causes of
action with respect to the Work, in either case contrary to Affirmer's
express Statement of Purpose.
4. Limitations and Disclaimers.
a. No trademark or patent rights held by Affirmer are waived, abandoned,
surrendered, licensed or otherwise affected by this document.
b. Affirmer offers the Work as-is and makes no representations or
warranties of any kind concerning the Work, express, implied,
statutory or otherwise, including without limitation warranties of
title, merchantability, fitness for a particular purpose, non
infringement, or the absence of latent or other defects, accuracy, or
the present or absence of errors, whether or not discoverable, all to
the greatest extent permissible under applicable law.
c. Affirmer disclaims responsibility for clearing rights of other persons
that may apply to the Work or any use thereof, including without
limitation any person's Copyright and Related Rights in the Work.
Further, Affirmer disclaims responsibility for obtaining any necessary
consents, permissions or other rights required for any use of the
Work.
d. Affirmer understands and acknowledges that Creative Commons is not a
party to this document and has no duty or obligation with respect to
this CC0 or use of the Work.
spook/Implementations/crypto_aead/spook128mu384v2/ref/api.h 0 → 100644
#define CRYPTO_KEYBYTES 32
#define CRYPTO_NPUBBYTES 16
#define CRYPTO_NSECBYTES 0
#define CRYPTO_ABYTES 16
#define CRYPTO_NOOVERLAP 1
spook/Implementations/crypto_aead/spook128mu384v2/ref/crypto_aead.h 0 → 100644
int crypto_aead_encrypt(unsigned char* c, unsigned long long* clen,
const unsigned char* m, unsigned long long mlen,
const unsigned char* ad, unsigned long long adlen,
const unsigned char* nsec, const unsigned char* npub,
const unsigned char* k);
int crypto_aead_decrypt(unsigned char* m, unsigned long long* mlen,
unsigned char* nsec, const unsigned char* c,
unsigned long long clen, const unsigned char* ad,
unsigned long long adlen, const unsigned char* npub,
const unsigned char* k);
spook/Implementations/crypto_aead/spook128mu384v2/ref/encrypt.c 0 → 100644
/* Spook Reference Implementation v1
*
* Written in 2019 at UCLouvain (Belgium) by Olivier Bronchain, Gaetan Cassiers
* and Charles Momin.
* To the extent possible under law, the author(s) have dedicated all copyright
* and related and neighboring rights to this software to the public domain
* worldwide. This software is distributed without any warranty.
*
* You should have received a copy of the CC0 Public Domain Dedication along
* with this software. If not, see
* <http://creativecommons.org/publicdomain/zero/1.0/>.
*/
#include "crypto_aead.h"
#include "s1p.h"
#ifdef __GNUC__
#define UNUSED __attribute__((unused))
#else
#define UNUSED
#endif
// Spook encryption.
int
crypto_aead_encrypt(unsigned char* c,
unsigned long long* clen,
const unsigned char* m,
unsigned long long mlen,
const unsigned char* ad,
unsigned long long adlen,
const unsigned char* nsec UNUSED,
const unsigned char* npub,
const unsigned char* k)
{
unsigned char p[P_NBYTES];
const unsigned char* k_priv;
init_keys(&k_priv, p, k);
s1p_encrypt(c, clen, ad, adlen, m, mlen, k_priv, p, npub);
return 0;
}
// Spook encryption.
int
crypto_aead_decrypt(unsigned char* m,
unsigned long long* mlen,
unsigned char* nsec UNUSED,
const unsigned char* c,
unsigned long long clen,
const unsigned char* ad,
unsigned long long adlen,
const unsigned char* npub,
const unsigned char* k)
{
unsigned char p[P_NBYTES];
const unsigned char* k_priv;
init_keys(&k_priv, p, k);
return s1p_decrypt(m, mlen, ad, adlen, c, clen, k_priv, p, npub);
}
spook/Implementations/crypto_aead/spook128mu384v2/ref/parameters.h 0 → 100644
/* Spook Reference Implementation v1
*
* Written in 2019 at UCLouvain (Belgium) by Olivier Bronchain, Gaetan Cassiers
* and Charles Momin.
* To the extent possible under law, the author(s) have dedicated all copyright
* and related and neighboring rights to this software to the public domain
* worldwide. This software is distributed without any warranty.
*
* You should have received a copy of the CC0 Public Domain Dedication along with
* this software. If not, see <http://creativecommons.org/publicdomain/zero/1.0/>.
*/
#ifndef _PARAMETERS_H_
#define _PARAMETERS_H_
#define MULTI_USER 1
#define SMALL_PERM 1
#if MULTI_USER
#define KEYBYTES 32
#else
#define KEYBYTES 16
#endif
#include "api.h"
#if (KEYBYTES != CRYPTO_KEYBYTES)
#error "Wrong parameters in api.h"
#endif
#endif //_PARAMETERS_H_
spook/Implementations/crypto_aead/spook128mu384v2/ref/primitives.h 0 → 100644
/* Spook Reference Implementation v1
*
* Written in 2019 at UCLouvain (Belgium) by Olivier Bronchain, Gaetan Cassiers
* and Charles Momin.
* To the extent possible under law, the author(s) have dedicated all copyright
* and related and neighboring rights to this software to the public domain
* worldwide. This software is distributed without any warranty.
*
* You should have received a copy of the CC0 Public Domain Dedication along
* with this software. If not, see
* <http://creativecommons.org/publicdomain/zero/1.0/>.
*/
#ifndef _H_PRIMITIVES_H_
#define _H_PRIMITIVES_H_
#include "parameters.h"
#define CLYDE128_NBYTES 16
#if SMALL_PERM
#define SHADOW_NBYTES 48
#else
#define SHADOW_NBYTES 64
#endif // SMALL_PERM
void
clyde128_encrypt(unsigned char* c,
const unsigned char* m,
const unsigned char* t,
const unsigned char* k);
void
clyde128_decrypt(unsigned char* m,
const unsigned char* c,
const unsigned char* t,
const unsigned char* k);
void
shadow(unsigned char* x);
#endif //_H_PRIMITIVES_H_
spook/Implementations/crypto_aead/spook128mu384v2/ref/s1p.c 0 → 100644
/* Spook Reference Implementation v1
*
* Written in 2019 at UCLouvain (Belgium) by Olivier Bronchain, Gaetan Cassiers
* and Charles Momin.
* To the extent possible under law, the author(s) have dedicated all copyright
* and related and neighboring rights to this software to the public domain
* worldwide. This software is distributed without any warranty.
*
* You should have received a copy of the CC0 Public Domain Dedication along with
* this software. If not, see <http://creativecommons.org/publicdomain/zero/1.0/>.
*/
#include <stdlib.h>
#include <string.h>
#include <stdint.h>
#include "s1p.h"
#include "parameters.h"
#include "primitives.h"
#include "utils.h"
#define CAPACITY_BYTES 32
#define RATE_BYTES (SHADOW_NBYTES - CAPACITY_BYTES)
// Working mode for block compression.
typedef enum {
AD,
PLAINTEXT,
CIPHERTEXT
} compress_mode;
static void compress_block(unsigned char *state, unsigned char *out,
const unsigned char *d, compress_mode mode,
unsigned long long offset, unsigned long long n);
static unsigned long long compress_data(unsigned char *state,
unsigned char *out,
const unsigned char *d,
unsigned long long dlen,
compress_mode mode);
static void init_sponge_state(unsigned char state[SHADOW_NBYTES],
const unsigned char *k, const unsigned char *p,
const unsigned char *n);
void init_keys(const unsigned char **k, unsigned char p[P_NBYTES],
const unsigned char *k_glob) {
*k = k_glob;
#if MULTI_USER
memcpy(p, k_glob + CLYDE128_NBYTES, P_NBYTES);
p[P_NBYTES - 1] &= 0x7F; // set last p bit to 0
p[P_NBYTES - 1] |= 0x40; // set next to last p bit to 0
#else
memset(p, 0, P_NBYTES);
#endif // MULTI_USER
}
static void init_sponge_state(unsigned char state[SHADOW_NBYTES],
const unsigned char *k, const unsigned char *p,
const unsigned char *n) {
// init state
memset(state, 0, SHADOW_NBYTES);
memcpy(state + CLYDE128_NBYTES, p, P_NBYTES);
memcpy(state + CLYDE128_NBYTES + P_NBYTES, n, CRYPTO_NPUBBYTES);
// TBC
unsigned char padded_nonce[CLYDE128_NBYTES] = { 0 };
memcpy(padded_nonce, n, CRYPTO_NPUBBYTES);
unsigned char *b = state;
clyde128_encrypt(b, padded_nonce, p, k);
// initial permutation
shadow(state);
}
void s1p_encrypt(unsigned char *c, unsigned long long *clen,
const unsigned char *ad, unsigned long long adlen,
const unsigned char *m, unsigned long long mlen,
const unsigned char *k, const unsigned char *p,
const unsigned char *n) {
// permutation state
unsigned char state[SHADOW_NBYTES];
init_sponge_state(state, k, p, n);
// compress associated data
compress_data(state, NULL, ad, adlen, AD);
// compress message
unsigned long long c_bytes = 0;
if (mlen > 0) {
state[RATE_BYTES] ^= 0x01;
c_bytes = compress_data(state, c, m, mlen, PLAINTEXT);
}
// tag
state[CLYDE128_NBYTES + CLYDE128_NBYTES - 1] |= 0x80;
clyde128_encrypt(c + c_bytes, state, state + CLYDE128_NBYTES, k);
*clen = c_bytes + CLYDE128_NBYTES;
}
int s1p_decrypt(unsigned char *m, unsigned long long *mlen,
const unsigned char *ad, unsigned long long adlen,
const unsigned char *c, unsigned long long clen,
const unsigned char *k, const unsigned char *p,
const unsigned char *n) {
// permutation state
unsigned char state[SHADOW_NBYTES];
init_sponge_state(state, k, p, n);
// compress associated data
compress_data(state, NULL, ad, adlen, AD);
// compress message
unsigned long long m_bytes = 0;
if (clen > CLYDE128_NBYTES) {
state[RATE_BYTES] ^= 0x01;
m_bytes = compress_data(state, m, c, clen - CLYDE128_NBYTES, CIPHERTEXT);
}
// NOTE: We use here so-called "inverse-based tag verification",
// that is, we apply the inverse Clyde TBC to the tag extracted from
// the ciphertext and check the result against the output of Shadow.
// This way of verifying the tag is interesting in some specific cases
// such as side-channel protected implementations.
// In general implementations, the tag verification SHOULD be done in a
// more conventional way: encrypting the output of Shadow with Clyde and
// verifying the tag against the resulting value.
// This is more efficient as it does not require to implement the inverse
// Clyde.
// For more details, see the Spook specification at https://spook.dev.
unsigned char inv_tag[CLYDE128_NBYTES];
unsigned char *u = state;
state[(2 * CLYDE128_NBYTES) - 1] |= 0x80;
clyde128_decrypt(inv_tag, c + m_bytes, state + CLYDE128_NBYTES, k);
int tag_ok = 1;
for (int i = 0; i < CLYDE128_NBYTES; i++) {
tag_ok &= (u[i] == inv_tag[i]);
}
if (tag_ok) {
*mlen = m_bytes;
return 0;
} else {
// Reset output buffer to avoid unintended unauthenticated plaintext
// release.
memset(m, 0, clen - CLYDE128_NBYTES);
*mlen = 0;
return -1;
}
}
// Compress a block into the state. Length of the block is n and buffers are
// accessed starting at offset. Input block is d, output is written into
// buffer out if mode is PLAINTEXT or CIPHERTEXT.
// Only the XOR operation is performed, not XORing of padding constants.
static void compress_block(unsigned char *state, unsigned char *out,
const unsigned char *d, compress_mode mode,
unsigned long long offset, unsigned long long n) {
if (mode == CIPHERTEXT) {
xor_bytes(out + offset, state, d + offset, n);
memcpy(state, d + offset, n);
} else {
xor_bytes(state, state, d + offset, n);
if (mode == PLAINTEXT) {
memcpy(out + offset, state, n);
}
}
}
// Compress a block into the state (in duplex-sponge mode).
// Input data buffer is d with length dlen.
// Output is written into buffer out if mode is PLAINTEXT or CIPHERTEXT.
// Padding is handled if needed.
static unsigned long long compress_data(unsigned char *state,
unsigned char *out,
const unsigned char *d,
unsigned long long dlen,
compress_mode mode) {
unsigned long long i;
for (i = 0; i < dlen / RATE_BYTES; i++) {
compress_block(state, out, d, mode, i * RATE_BYTES, RATE_BYTES);
shadow(state);
}
int rem = dlen % RATE_BYTES;
if (rem != 0) {
compress_block(state, out, d, mode, i * RATE_BYTES, rem);
state[rem] ^= 0x01;
state[RATE_BYTES] ^= 0x02;
shadow(state);
}
return i * RATE_BYTES + rem;
}
spook/Implementations/crypto_aead/spook128mu384v2/ref/s1p.h 0 → 100644
/* Spook Reference Implementation v1
*
* Written in 2019 at UCLouvain (Belgium) by Olivier Bronchain, Gaetan Cassiers
* and Charles Momin.
* To the extent possible under law, the author(s) have dedicated all copyright
* and related and neighboring rights to this software to the public domain
* worldwide. This software is distributed without any warranty.
*
* You should have received a copy of the CC0 Public Domain Dedication along with
* this software. If not, see <http://creativecommons.org/publicdomain/zero/1.0/>.
*/
#ifndef _H_S1P_H_
#define _H_S1P_H_
#include "parameters.h"
// Size of the P parameter
#define P_NBYTES 16
void s1p_encrypt(unsigned char *c, unsigned long long *clen,
const unsigned char *ad, unsigned long long adlen,
const unsigned char *m, unsigned long long mlen,
const unsigned char *k, const unsigned char *p,
const unsigned char *n);
int s1p_decrypt(unsigned char *m, unsigned long long *mlen,
const unsigned char *ad, unsigned long long adlen,
const unsigned char *c, unsigned long long clen,
const unsigned char *k, const unsigned char *p,
const unsigned char *n);
void init_keys(const unsigned char **k, unsigned char p[P_NBYTES],
const unsigned char *k_glob);
#endif //_H_S1P_H_
spook/Implementations/crypto_aead/spook128mu384v2/ref/utils.c 0 → 100644
/* Spook Reference Implementation v1
*
* Written in 2019 at UCLouvain (Belgium) by Olivier Bronchain, Gaetan Cassiers
* and Charles Momin.
* To the extent possible under law, the author(s) have dedicated all copyright
* and related and neighboring rights to this software to the public domain
* worldwide. This software is distributed without any warranty.
*
* You should have received a copy of the CC0 Public Domain Dedication along
* with this software. If not, see
* <http://creativecommons.org/publicdomain/zero/1.0/>.
*/
#include <stdint.h>
#include "utils.h"
// XOR buffers src1 and src2 into buffer dest (all buffers contain n bytes).
void
xor_bytes(unsigned char* dest,
const unsigned char* src1,
const unsigned char* src2,
unsigned long long n)
{
for (unsigned long long i = 0; i < n; i++) {
dest[i] = src1[i] ^ src2[i];
}
}
// Rotate right x by amount c.
// We use right rotation of integers for the lboxes while the specification
// tells left rotation of bitstrings due to the bitsting -> integer
// little-endian mapping used in Spook.
uint32_t
rotr(uint32_t x, unsigned int c)
{
return (x >> c) | (x << (32 - c));
}
// Convert 4 bytes into a uint32. Bytes are in little-endian.
uint32_t
le32u_dec(const unsigned char bytes[4])
{
uint32_t res = 0;
for (unsigned int col = 0; col < 4; col++) {
res |= ((uint32_t)bytes[col]) << 8 * col;
}
return res;
}
// Convert a uint32 into 4 bytes. Bytes are in little-endian.
void
le32u_enc(unsigned char bytes[4], uint32_t x)
{
for (unsigned int i = 0; i < 4; i++) {
bytes[i] = x >> 8 * i;
}
}
spook/Implementations/crypto_aead/spook128mu384v2/ref/utils.h 0 → 100644
/* Spook Reference Implementation v1
*
* Written in 2019 at UCLouvain (Belgium) by Olivier Bronchain, Gaetan Cassiers
* and Charles Momin.
* To the extent possible under law, the author(s) have dedicated all copyright
* and related and neighboring rights to this software to the public domain
* worldwide. This software is distributed without any warranty.
*
* You should have received a copy of the CC0 Public Domain Dedication along
* with this software. If not, see
* <http://creativecommons.org/publicdomain/zero/1.0/>.
*/
#ifndef _H_UTILS_H_
#define _H_UTILS_H_
#include <stdint.h>
void
xor_bytes(unsigned char* dest,
const unsigned char* src1,
const unsigned char* src2,
unsigned long long n);
uint32_t
rotr(uint32_t x, unsigned int c);
uint32_t
le32u_dec(const unsigned char bytes[4]);
void
le32u_enc(unsigned char bytes[4], uint32_t x);
#endif // _H_UTILS_H_
spook/Implementations/crypto_aead/spook128mu512v2/LWC_AEAD_KAT_256_128.txt 0 → 100644
This source diff could not be displayed because it is too large. You can view the blob instead.
spook/Implementations/crypto_aead/spook128mu512v2/opt_c/COPYING 0 → 100644
Creative Commons Legal Code
CC0 1.0 Universal
CREATIVE COMMONS CORPORATION IS NOT A LAW FIRM AND DOES NOT PROVIDE
LEGAL SERVICES. DISTRIBUTION OF THIS DOCUMENT DOES NOT CREATE AN
ATTORNEY-CLIENT RELATIONSHIP. CREATIVE COMMONS PROVIDES THIS
INFORMATION ON AN "AS-IS" BASIS. CREATIVE COMMONS MAKES NO WARRANTIES
REGARDING THE USE OF THIS DOCUMENT OR THE INFORMATION OR WORKS
PROVIDED HEREUNDER, AND DISCLAIMS LIABILITY FOR DAMAGES RESULTING FROM
THE USE OF THIS DOCUMENT OR THE INFORMATION OR WORKS PROVIDED
HEREUNDER.
Statement of Purpose
The laws of most jurisdictions throughout the world automatically confer
exclusive Copyright and Related Rights (defined below) upon the creator
and subsequent owner(s) (each and all, an "owner") of an original work of
authorship and/or a database (each, a "Work").
Certain owners wish to permanently relinquish those rights to a Work for
the purpose of contributing to a commons of creative, cultural and
scientific works ("Commons") that the public can reliably and without fear
of later claims of infringement build upon, modify, incorporate in other
works, reuse and redistribute as freely as possible in any form whatsoever
and for any purposes, including without limitation commercial purposes.
These owners may contribute to the Commons to promote the ideal of a free
culture and the further production of creative, cultural and scientific
works, or to gain reputation or greater distribution for their Work in
part through the use and efforts of others.
For these and/or other purposes and motivations, and without any
expectation of additional consideration or compensation, the person
associating CC0 with a Work (the "Affirmer"), to the extent that he or she
is an owner of Copyright and Related Rights in the Work, voluntarily
elects to apply CC0 to the Work and publicly distribute the Work under its
terms, with knowledge of his or her Copyright and Related Rights in the
Work and the meaning and intended legal effect of CC0 on those rights.
1. Copyright and Related Rights. A Work made available under CC0 may be
protected by copyright and related or neighboring rights ("Copyright and
Related Rights"). Copyright and Related Rights include, but are not
limited to, the following:
i. the right to reproduce, adapt, distribute, perform, display,
communicate, and translate a Work;
ii. moral rights retained by the original author(s) and/or performer(s);
iii. publicity and privacy rights pertaining to a person's image or
likeness depicted in a Work;
iv. rights protecting against unfair competition in regards to a Work,
subject to the limitations in paragraph 4(a), below;
v. rights protecting the extraction, dissemination, use and reuse of data
in a Work;
vi. database rights (such as those arising under Directive 96/9/EC of the
European Parliament and of the Council of 11 March 1996 on the legal
protection of databases, and under any national implementation
thereof, including any amended or successor version of such
directive); and
vii. other similar, equivalent or corresponding rights throughout the
world based on applicable law or treaty, and any national
implementations thereof.
2. Waiver. To the greatest extent permitted by, but not in contravention
of, applicable law, Affirmer hereby overtly, fully, permanently,
irrevocably and unconditionally waives, abandons, and surrenders all of
Affirmer's Copyright and Related Rights and associated claims and causes
of action, whether now known or unknown (including existing as well as
future claims and causes of action), in the Work (i) in all territories
worldwide, (ii) for the maximum duration provided by applicable law or
treaty (including future time extensions), (iii) in any current or future
medium and for any number of copies, and (iv) for any purpose whatsoever,
including without limitation commercial, advertising or promotional
purposes (the "Waiver"). Affirmer makes the Waiver for the benefit of each
member of the public at large and to the detriment of Affirmer's heirs and
successors, fully intending that such Waiver shall not be subject to
revocation, rescission, cancellation, termination, or any other legal or
equitable action to disrupt the quiet enjoyment of the Work by the public
as contemplated by Affirmer's express Statement of Purpose.
3. Public License Fallback. Should any part of the Waiver for any reason
be judged legally invalid or ineffective under applicable law, then the
Waiver shall be preserved to the maximum extent permitted taking into
account Affirmer's express Statement of Purpose. In addition, to the
extent the Waiver is so judged Affirmer hereby grants to each affected
person a royalty-free, non transferable, non sublicensable, non exclusive,
irrevocable and unconditional license to exercise Affirmer's Copyright and
Related Rights in the Work (i) in all territories worldwide, (ii) for the
maximum duration provided by applicable law or treaty (including future
time extensions), (iii) in any current or future medium and for any number
of copies, and (iv) for any purpose whatsoever, including without
limitation commercial, advertising or promotional purposes (the
"License"). The License shall be deemed effective as of the date CC0 was
applied by Affirmer to the Work. Should any part of the License for any
reason be judged legally invalid or ineffective under applicable law, such
partial invalidity or ineffectiveness shall not invalidate the remainder
of the License, and in such case Affirmer hereby affirms that he or she
will not (i) exercise any of his or her remaining Copyright and Related
Rights in the Work or (ii) assert any associated claims and causes of
action with respect to the Work, in either case contrary to Affirmer's
express Statement of Purpose.
4. Limitations and Disclaimers.
a. No trademark or patent rights held by Affirmer are waived, abandoned,
surrendered, licensed or otherwise affected by this document.
b. Affirmer offers the Work as-is and makes no representations or
warranties of any kind concerning the Work, express, implied,
statutory or otherwise, including without limitation warranties of
title, merchantability, fitness for a particular purpose, non
infringement, or the absence of latent or other defects, accuracy, or
the present or absence of errors, whether or not discoverable, all to
the greatest extent permissible under applicable law.
c. Affirmer disclaims responsibility for clearing rights of other persons
that may apply to the Work or any use thereof, including without
limitation any person's Copyright and Related Rights in the Work.
Further, Affirmer disclaims responsibility for obtaining any necessary
consents, permissions or other rights required for any use of the
Work.
d. Affirmer understands and acknowledges that Creative Commons is not a
party to this document and has no duty or obligation with respect to
this CC0 or use of the Work.
spook/Implementations/crypto_aead/spook128mu512v2/opt_c/api.h 0 → 100644
#include "parameters.h"
#define CRYPTO_KEYBYTES KEYBYTES
#define CRYPTO_NPUBBYTES 16
#define CRYPTO_NSECBYTES 0
#define CRYPTO_ABYTES 16
#define CRYPTO_NOOVERLAP 1
spook/Implementations/crypto_aead/spook128mu512v2/opt_c/clyde_32bit.c 0 → 100644
/* MIT License
*
* Copyright (c) 2019 Gaëtan Cassiers Olivier Bronchain
*
* Permission is hereby granted, free of charge, to any person obtaining a copy
* of this software and associated documentation files (the "Software"), to deal
* in the Software without restriction, including without limitation the rights
* to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
* copies of the Software, and to permit persons to whom the Software is
* furnished to do so, subject to the following conditions:
*
* The above copyright notice and this permission notice shall be included in all
* copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
* IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
* AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
* LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
* OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
* SOFTWARE.
*/
#include <string.h>
#include <stdint.h>
#include "primitives.h"
#include "primitives.c"
#define CLYDE_128_NS 6 // Number of steps
#define CLYDE_128_NR 2 * CLYDE_128_NS // Number of rounds
#define XORLS(DEST, OP) do { \
(DEST)[0] ^= (OP)[0]; \
(DEST)[1] ^= (OP)[1]; \
(DEST)[2] ^= (OP)[2]; \
(DEST)[3] ^= (OP)[3]; } while (0)
#define XORCST(DEST, LFSR) do { \
(DEST)[0] ^= ((LFSR)>>3 & 0x1); \
(DEST)[1] ^= ((LFSR)>>2 & 0x1); \
(DEST)[2] ^= ((LFSR)>>1 & 0x1); \
(DEST)[3] ^= ((LFSR) & 0x1); } while (0)
void clyde128_encrypt(clyde128_state state, const clyde128_state t, const unsigned char* k) {
// Key schedule
clyde128_state k_st;
memcpy(k_st, k, CLYDE128_NBYTES);
clyde128_state tk[3] = {
{ t[0], t[1], t[2], t[3] },
{ t[0] ^ t[2], t[1] ^ t[3], t[0], t[1] },
{ t[2], t[3], t[0] ^ t[2], t[1] ^ t[3] }
};
XORLS(tk[0], k_st);
XORLS(tk[1], k_st);
XORLS(tk[2], k_st);
// Datapath
XORLS(state, tk[0]);
uint32_t off = 0x924; // 2-bits describing the round key
uint32_t lfsr = 0x8; // LFSR for round constant
for (uint32_t s = 0; s < CLYDE_128_NS; s++) {
sbox_layer(state);
lbox(&state[0], &state[1]);
lbox(&state[2], &state[3]);
XORCST(state,lfsr);
uint32_t b = lfsr & 0x1;
lfsr = (lfsr^(b<<3) | b<<4)>>1; // update LFSR
sbox_layer(state);
lbox(&state[0], &state[1]);
lbox(&state[2], &state[3]);
XORCST(state,lfsr);
b = lfsr & 0x1;
lfsr = (lfsr^(b<<3) | b<<4)>>1; // update LFSR
off >>=2;
XORLS(state, tk[off&0x03]);
}
}
spook/Implementations/crypto_aead/spook128mu512v2/opt_c/crypto_aead.h 0 → 100644
int crypto_aead_encrypt(unsigned char* c, unsigned long long* clen,
const unsigned char* m, unsigned long long mlen,
const unsigned char* ad, unsigned long long adlen,
const unsigned char* nsec, const unsigned char* npub,
const unsigned char* k);
int crypto_aead_decrypt(unsigned char* m, unsigned long long* mlen,
unsigned char* nsec, const unsigned char* c,
unsigned long long clen, const unsigned char* ad,
unsigned long long adlen, const unsigned char* npub,
const unsigned char* k);
spook/Implementations/crypto_aead/spook128mu512v2/opt_c/encrypt.c 0 → 100644
/* Spook Reference Implementation v1
*
* Written in 2019 at UCLouvain (Belgium) by Olivier Bronchain, Gaetan Cassiers
* and Charles Momin.
* To the extent possible under law, the author(s) have dedicated all copyright
* and related and neighboring rights to this software to the public domain
* worldwide. This software is distributed without any warranty.
*
* You should have received a copy of the CC0 Public Domain Dedication along with
* this software. If not, see <http://creativecommons.org/publicdomain/zero/1.0/>.
*/
#include "crypto_aead.h"
#include "s1p.h"
#ifdef __GNUC__
#define UNUSED __attribute__((unused))
#else
#define UNUSED
#endif
// Spook encryption.
int crypto_aead_encrypt(unsigned char* c, unsigned long long* clen,
const unsigned char* m, unsigned long long mlen,
const unsigned char* ad, unsigned long long adlen,
const unsigned char* nsec UNUSED,
const unsigned char* npub, const unsigned char* k) {
unsigned char p[P_NBYTES];
const unsigned char* k_priv;
init_keys(&k_priv, p, k);
s1p_encrypt(c, clen, ad, adlen, m, mlen, k_priv, p, npub);
return 0;
}
// Spook encryption.
int crypto_aead_decrypt(unsigned char* m, unsigned long long* mlen,
unsigned char* nsec UNUSED, const unsigned char* c,
unsigned long long clen, const unsigned char* ad,
unsigned long long adlen, const unsigned char* npub,
const unsigned char* k) {
unsigned char p[P_NBYTES];
const unsigned char* k_priv;
init_keys(&k_priv, p, k);
return s1p_decrypt(m, mlen, ad, adlen, c, clen, k_priv, p, npub);
}
spook/Implementations/crypto_aead/spook128mu512v2/opt_c/iacaMarks.h 0 → 100644
/*
* Copyright (2008-2009) Intel Corporation All Rights Reserved.
* The source code contained or described herein and all documents
* related to the source code ("Material") are owned by Intel Corporation
* or its suppliers or licensors. Title to the Material remains with
* Intel Corporation or its suppliers and licensors. The Material
* contains trade secrets and proprietary and confidential information
* of Intel or its suppliers and licensors. The Material is protected
* by worldwide copyright and trade secret laws and treaty provisions.
* No part of the Material may be used, copied, reproduced, modified,
* published, uploaded, posted, transmitted, distributed, or disclosed
* in any way without Intel(R)s prior express written permission.
*
* No license under any patent, copyright, trade secret or other
* intellectual property right is granted to or conferred upon you by
* disclosure or delivery of the Materials, either expressly, by implication,
* inducement, estoppel or otherwise. Any license under such intellectual
* property rights must be express and approved by Intel in writing.
*/
#if defined (__GNUC__)
#define IACA_SSC_MARK( MARK_ID ) \
__asm__ __volatile__ ( \
"\n\t movl $"#MARK_ID", %%ebx" \
"\n\t .byte 0x64, 0x67, 0x90" \
: : : "memory" );
#else
#define IACA_SSC_MARK(x) {__asm mov ebx, x\
__asm _emit 0x64 \
__asm _emit 0x67 \
__asm _emit 0x90 }
#endif
#define IACA_START {IACA_SSC_MARK(111)}
#define IACA_END {IACA_SSC_MARK(222)}
#ifdef _WIN64
#include <intrin.h>
#define IACA_VC64_START __writegsbyte(111, 111);
#define IACA_VC64_END __writegsbyte(222, 222);
#endif
/**************** asm *****************
;START_MARKER
mov ebx, 111
db 0x64, 0x67, 0x90
;END_MARKER
mov ebx, 222
db 0x64, 0x67, 0x90
**************************************/
spook/Implementations/crypto_aead/spook128mu512v2/opt_c/parameters.h 0 → 100644
/* Spook Reference Implementation v1
*
* Written in 2019 at UCLouvain (Belgium) by Olivier Bronchain, Gaetan Cassiers
* and Charles Momin.
* To the extent possible under law, the author(s) have dedicated all copyright
* and related and neighboring rights to this software to the public domain
* worldwide. This software is distributed without any warranty.
*
* You should have received a copy of the CC0 Public Domain Dedication along with
* this software. If not, see <http://creativecommons.org/publicdomain/zero/1.0/>.
*/
#ifndef _PARAMETERS_H_
#define _PARAMETERS_H_
#define MULTI_USER 1
#define SMALL_PERM 0
#if MULTI_USER
#define KEYBYTES 32
#else
#define KEYBYTES 16
#endif
#include "api.h"
#if (KEYBYTES != CRYPTO_KEYBYTES)
#error "Wrong parameters in api.h"
#endif
#endif //_PARAMETERS_H_
spook/Implementations/crypto_aead/spook128mu512v2/opt_c/primitives.c 0 → 100644
#include "primitives.h"
#ifdef SHADOW
static uint32_t lfsr_poly;
static uint32_t xtime_poly;
#endif
// Apply a S-box layer to a Clyde-128 state.
static void sbox_layer(uint32_t* state) {
uint32_t y1 = (state[0] & state[1]) ^ state[2];
uint32_t y0 = (state[3] & state[0]) ^ state[1];
uint32_t y3 = (y1 & state[3]) ^ state[0];
uint32_t y2 = (y0 & y1) ^ state[3];
state[0] = y0;
state[1] = y1;
state[2] = y2;
state[3] = y3;
}
// Apply a L-box to a pair of Clyde-128 rows.
static void lbox(uint32_t* x, uint32_t* y) {
uint32_t a, b, c, d;
a = *x ^ ROT32(*x, 12);
b = *y ^ ROT32(*y, 12);
a = a ^ ROT32(a, 3);
b = b ^ ROT32(b, 3);
a = a ^ ROT32(*x, 17);
b = b ^ ROT32(*y, 17);
c = a ^ ROT32(a, 31);
d = b ^ ROT32(b, 31);
a = a ^ ROT32(d, 26);
b = b ^ ROT32(c, 25);
a = a ^ ROT32(c, 15);
b = b ^ ROT32(d, 15);
*x = a;
*y = b;
}
#ifdef SHADOW
void set_poly_lfsr(uint32_t l){
lfsr_poly = l;
}
void set_poly_xtime(uint32_t l){
xtime_poly = l;
}
static uint32_t update_lfsr(uint32_t x) {
int32_t tmp1 = x;
uint32_t tmp = (tmp1 >>31) & lfsr_poly;
return (x<<1) ^ tmp;
}
static uint32_t xtime(uint32_t x) {
int32_t tmp1 = x;
uint32_t tmp = (tmp1 >>31) & xtime_poly;
return (x<<1) ^ tmp;
}
// Apply a D-box layer to a Shadow state.
static void dbox_mls_layer(shadow_state state,uint32_t *lfsr) {
for (unsigned int row = 0; row < LS_ROWS; row++) {
#if SMALL_PERM
uint32_t x1 = state[0][row];
uint32_t x2 = state[1][row];
uint32_t x3 = state[2][row];
uint32_t a = x1 ^ x3;
uint32_t b = a ^ x2;
uint32_t c = xtime(a) ^ (x1 ^ x2);
state[0][row] = a ^ c;
state[1][row] = b;
state[2][row] = c;
state[0][row] ^= *lfsr;
*lfsr = update_lfsr(*lfsr);
#else
state[0][row] ^= state[1][row];
state[2][row] ^= state[3][row];
state[1][row] ^= state[2][row];
state[3][row] ^= xtime(state[0][row]);
state[2][row] ^= xtime(state[3][row]);
state[1][row] = xtime(state[1][row]);
state[0][row] ^= state[1][row];
state[3][row] ^= state[0][row];
state[1][row] ^= state[2][row];
state[0][row] ^= *lfsr;
*lfsr = update_lfsr(*lfsr);
#endif // SMALL_PERM
}
}
#endif
spook/Implementations/crypto_aead/spook128mu512v2/opt_c/primitives.h 0 → 100644
/* Spook Reference Implementation v1
*
* Written in 2019 at UCLouvain (Belgium) by Olivier Bronchain, Gaetan Cassiers
* and Charles Momin.
* To the extent possible under law, the author(s) have dedicated all copyright
* and related and neighboring rights to this software to the public domain
* worldwide. This software is distributed without any warranty.
*
* You should have received a copy of the CC0 Public Domain Dedication along with
* this software. If not, see <http://creativecommons.org/publicdomain/zero/1.0/>.
*/
#ifndef _H_PRIMITIVES_H_
#define _H_PRIMITIVES_H_
#include <stdint.h>
#include "parameters.h"
#define CLYDE128_NBYTES 16
#define ROTL(x, n) ((x << n) | (x >> ((32-n) & 31)))
#ifndef SHCST
#define SHCST 1
#endif
#ifndef DBOX
#define DBOX 1
#endif
#if SMALL_PERM
#define SHADOW_NBYTES 48
#else
#define SHADOW_NBYTES 64
#endif // SMALL_PERM
#define LS_ROWS 4 // Rows in the LS design
#define LS_ROW_BYTES 4 // number of bytes per row in the LS design
#define MLS_BUNDLES \
(SHADOW_NBYTES / (LS_ROWS* LS_ROW_BYTES)) // Bundles in the mLS design
#define ROT32(x,n) ((uint32_t)(((x)>>(n))|((x)<<(32-(n)))))
typedef __attribute__((aligned(16))) uint32_t clyde128_state[LS_ROWS];
typedef __attribute__((aligned(64))) clyde128_state shadow_state[MLS_BUNDLES];
void clyde128_encrypt(clyde128_state state,
const clyde128_state t, const unsigned char* k);
void shadow(shadow_state state);
static void sbox_layer(uint32_t* state);
static void dbox_mls_layer(shadow_state state,uint32_t *lfsr);
static void lbox(uint32_t* x, uint32_t* y);
#endif //_H_PRIMITIVES_H_
spook/Implementations/crypto_aead/spook128mu512v2/opt_c/s1p.c 0 → 100644
/* MIT License
*
* Copyright (c) 2019 Gaëtan Cassiers
*
* Permission is hereby granted, free of charge, to any person obtaining a copy
* of this software and associated documentation files (the "Software"), to deal
* in the Software without restriction, including without limitation the rights
* to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
* copies of the Software, and to permit persons to whom the Software is
* furnished to do so, subject to the following conditions:
*
* The above copyright notice and this permission notice shall be included in all
* copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
* IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
* AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
* LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
* OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
* SOFTWARE.
*/
#include <stdlib.h>
#include <string.h>
#include <stdint.h>
#include "primitives.h"
#include "s1p.h"
#include "parameters.h"
#define CAPACITY_BYTES 32
#define RATE_BYTES (SHADOW_NBYTES - CAPACITY_BYTES)
#define RATE_BUNDLES (RATE_BYTES/(LS_ROWS*LS_ROW_BYTES))
// Working mode for block compression.
typedef enum {
AD,
PLAINTEXT,
CIPHERTEXT
} compress_mode;
static void compress_block(unsigned char *state, unsigned char *out,
const unsigned char *d, compress_mode mode,
unsigned long long offset, unsigned long long n);
static unsigned long long compress_data(shadow_state state,
unsigned char *out,
const unsigned char *d,
unsigned long long dlen,
compress_mode mode);
static void init_sponge_state(shadow_state state,
const unsigned char *k, const unsigned char *p,
const unsigned char *n);
static void xor_bytes(unsigned char* dest, const unsigned char* src1,
const unsigned char* src2, unsigned long long n);
void init_keys(const unsigned char **k, unsigned char p[P_NBYTES],
const unsigned char *k_glob) {
*k = k_glob;
#if MULTI_USER
memcpy(p, k_glob + CLYDE128_NBYTES, P_NBYTES);
p[P_NBYTES - 1] &= 0x7F; // set last p bit to 0
p[P_NBYTES - 1] |= 0x40; // set next to last p bit to 0
#else
memset(p, 0, P_NBYTES);
#endif // MULTI_USER
}
static void init_sponge_state(shadow_state state,
const unsigned char *k, const unsigned char *p,
const unsigned char *n) {
// init state
memset(state, 0, SHADOW_NBYTES);
memcpy(state[0], n, P_NBYTES);
memcpy(state[1], p, CRYPTO_NPUBBYTES);
memcpy(state[2], n, CRYPTO_NPUBBYTES);
clyde128_encrypt(state[0], state[1], k);
// initial permutation
shadow(state);
}
void s1p_encrypt(unsigned char *c, unsigned long long *clen,
const unsigned char *ad, unsigned long long adlen,
const unsigned char *m, unsigned long long mlen,
const unsigned char *k, const unsigned char *p,
const unsigned char *n) {
// permutation state
shadow_state state;
init_sponge_state(state, k, p, n);
// compress associated data
compress_data(state, NULL, ad, adlen, AD);
// compress message
unsigned long long c_bytes = 0;
if (mlen > 0) {
state[RATE_BUNDLES][0] ^= 0x01;
c_bytes = compress_data(state, c, m, mlen, PLAINTEXT);
}
// tag
state[1][LS_ROWS- 1] |= 0x80000000;
clyde128_encrypt(state[0], state[1], k);
memcpy(c+c_bytes, state[0], CLYDE128_NBYTES);
*clen = c_bytes + CLYDE128_NBYTES;
}
int s1p_decrypt(unsigned char *m, unsigned long long *mlen,
const unsigned char *ad, unsigned long long adlen,
const unsigned char *c, unsigned long long clen,
const unsigned char *k, const unsigned char *p,
const unsigned char *n) {
// permutation state
shadow_state state;
init_sponge_state(state, k, p, n);
// compress associated data
compress_data(state, NULL, ad, adlen, AD);
// compress message
unsigned long long m_bytes = 0;
if (clen > CLYDE128_NBYTES) {
state[RATE_BUNDLES][0] ^= 0x01;
m_bytes = compress_data(state, m, c, clen - CLYDE128_NBYTES, CIPHERTEXT);
}
// tag verification
state[1][LS_ROWS- 1] |= 0x80000000;
clyde128_encrypt(state[0], state[1], k);
unsigned char *st0 = (unsigned char *) state[0];
int tag_ok = 1;
for (int i = 0; i < 4*LS_ROWS; i++) {
tag_ok &= (st0[i] == c[m_bytes+i]);
}
if (tag_ok) {
*mlen = m_bytes;
return 0;
} else {
// Reset output buffer to avoid unintended unauthenticated plaintext
// release.
memset(m, 0, clen - CLYDE128_NBYTES);
*mlen = 0;
return -1;
}
}
// Compress a block into the state. Length of the block is n and buffers are
// accessed starting at offset. Input block is d, output is written into
// buffer out if mode is PLAINTEXT or CIPHERTEXT.
// Only the XOR operation is performed, not XORing of padding constants.
static void compress_block(unsigned char *state, unsigned char *out,
const unsigned char *d, compress_mode mode,
unsigned long long offset, unsigned long long n) {
if (mode == CIPHERTEXT) {
xor_bytes(out + offset, state, d + offset, n);
memcpy(state, d + offset, n);
} else {
xor_bytes(state, state, d + offset, n);
if (mode == PLAINTEXT) {
memcpy(out + offset, state, n);
}
}
}
// Compress a block into the state (in duplex-sponge mode).
// Input data buffer is d with length dlen.
// Output is written into buffer out if mode is PLAINTEXT or CIPHERTEXT.
// Padding is handled if needed.
static unsigned long long compress_data(shadow_state state,
unsigned char *out,
const unsigned char *d,
unsigned long long dlen,
compress_mode mode) {
unsigned long long i;
for (i = 0; i < dlen / RATE_BYTES; i++) {
compress_block((uint8_t *)state, out, d, mode, i * RATE_BYTES, RATE_BYTES);
shadow(state);
}
int rem = dlen % RATE_BYTES;
if (rem != 0) {
compress_block((uint8_t *)state, out, d, mode, i * RATE_BYTES, rem);
((uint8_t *)state)[rem] ^= 0x01;
((uint8_t *)state)[RATE_BYTES] ^= 0x02;
shadow(state);
}
return i * RATE_BYTES + rem;
}
// XOR buffers src1 and src2 into buffer dest (all buffers contain n bytes).
void xor_bytes(unsigned char* dest, const unsigned char* src1,
const unsigned char* src2, unsigned long long n) {
for ( unsigned long long i = 0; i < n; i++) {
dest[i] = src1[i] ^ src2[i];
}
}
spook/Implementations/crypto_aead/spook128mu512v2/opt_c/s1p.h 0 → 100644
/* MIT License
*
* Copyright (c) 2019 Gaëtan Cassiers
*
* Permission is hereby granted, free of charge, to any person obtaining a copy
* of this software and associated documentation files (the "Software"), to deal
* in the Software without restriction, including without limitation the rights
* to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
* copies of the Software, and to permit persons to whom the Software is
* furnished to do so, subject to the following conditions:
*
* The above copyright notice and this permission notice shall be included in all
* copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
* IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
* AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
* LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
* OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
* SOFTWARE.
*/
#ifndef _H_S1P_H_
#define _H_S1P_H_
#include "parameters.h"
// Size of the P parameter
#define P_NBYTES 16
void s1p_encrypt(unsigned char *c, unsigned long long *clen,
const unsigned char *ad, unsigned long long adlen,
const unsigned char *m, unsigned long long mlen,
const unsigned char *k, const unsigned char *p,
const unsigned char *n);
int s1p_decrypt(unsigned char *m, unsigned long long *mlen,
const unsigned char *ad, unsigned long long adlen,
const unsigned char *c, unsigned long long clen,
const unsigned char *k, const unsigned char *p,
const unsigned char *n);
void init_keys(const unsigned char **k, unsigned char p[P_NBYTES],
const unsigned char *k_glob);
#endif //_H_S1P_H_
spook/Implementations/crypto_aead/spook128mu512v2/opt_c/shadow_32bit.c 0 → 100644
/* MIT
*
* Copyright (c) 2019 Gaëtan Cassiers
*
* Permission is hereby granted, free of charge, to any person obtaining a copy
* of this software and associated documentation files (the "Software"), to deal
* in the Software without restriction, including without limitation the rights
* to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
* copies of the Software, and to permit persons to whom the Software is
* furnished to do so, subject to the following conditions:
*
* The above copyright notice and this permission notice shall be included in all
* copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
* IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
* AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
* LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
* OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
* SOFTWARE.
*/
#include <string.h>
#include <stdint.h>
#include "primitives.h"
#define SHADOW
#include "primitives.c"
#define CLYDE_128_NS 6 // Number of steps
#define CLYDE_128_NR 2 * CLYDE_128_NS // Number of rounds
#define SHADOW_NS 6 // Number of steps
#define SHADOW_NR 2 * SHADOW_NS // Number of roundsv
void shadow(shadow_state state) {
uint32_t lfsr =0xf8737400; // LFSR for round constant
set_poly_xtime(0x101);
set_poly_lfsr(0xc5);
for (unsigned int s = 0; s < SHADOW_NS; s++) {
#pragma GCC unroll 0
for (unsigned int b = 0; b < MLS_BUNDLES; b++){
sbox_layer(state[b]);
lbox(&state[b][0], &state[b][1]);
lbox(&state[b][2], &state[b][3]);
state[b][1] ^= lfsr;
lfsr = update_lfsr(lfsr);
sbox_layer(state[b]);
}
dbox_mls_layer(state,&lfsr);
}
}
spook/Implementations/crypto_aead/spook128mu512v2/opt_c/utils.c 0 → 100644
/* Spook Reference Implementation v1
*
* Written in 2019 at UCLouvain (Belgium) by Olivier Bronchain, Gaetan Cassiers
* and Charles Momin.
* To the extent possible under law, the author(s) have dedicated all copyright
* and related and neighboring rights to this software to the public domain
* worldwide. This software is distributed without any warranty.
*
* You should have received a copy of the CC0 Public Domain Dedication along with
* this software. If not, see <http://creativecommons.org/publicdomain/zero/1.0/>.
*/
#include <stdint.h>
#include "utils.h"
// XOR buffers src1 and src2 into buffer dest (all buffers contain n bytes).
void xor_bytes(unsigned char* dest, const unsigned char* src1,
const unsigned char* src2, unsigned long long n) {
for (unsigned long long i = 0; i < n; i++) {
dest[i] = src1[i] ^ src2[i];
}
}
// Rotate right x by amount c.
// We use right rotation of integers for the lboxes while the specification
// tells left rotation of bitstrings due to the bitsting -> integer
// little-endian mapping used in Spook.
//uint32_t rotr(uint32_t x, unsigned int c) { return (x >> c) | (x << (32 - c)); }
// Convert 4 bytes into a uint32. Bytes are in little-endian.
uint32_t le32u_dec(const unsigned char bytes[4]) {
uint32_t res = 0;
for (unsigned int col = 0; col < 4; col++) {
res |= ((uint32_t)bytes[col]) << 8 * col;
}
return res;
}
// Convert a uint32 into 4 bytes. Bytes are in little-endian.
void le32u_enc(unsigned char bytes[4], uint32_t x) {
for (unsigned int i = 0; i < 4; i++) {
bytes[i] = x >> 8 * i;
}
}
spook/Implementations/crypto_aead/spook128mu512v2/opt_c/utils.h 0 → 100644
/* Spook Reference Implementation v1
*
* Written in 2019 at UCLouvain (Belgium) by Olivier Bronchain, Gaetan Cassiers
* and Charles Momin.
* To the extent possible under law, the author(s) have dedicated all copyright
* and related and neighboring rights to this software to the public domain
* worldwide. This software is distributed without any warranty.
*
* You should have received a copy of the CC0 Public Domain Dedication along with
* this software. If not, see <http://creativecommons.org/publicdomain/zero/1.0/>.
*/
#ifndef _H_UTILS_H_
#define _H_UTILS_H_
#include <stdint.h>
void xor_bytes(unsigned char* dest, const unsigned char* src1,
const unsigned char* src2, unsigned long long n);
//uint32_t rotr(uint32_t x, unsigned int c);
uint32_t le32u_dec(const unsigned char bytes[4]);
void le32u_enc(unsigned char bytes[4], uint32_t x);
#endif // _H_UTILS_H_
spook/Implementations/crypto_aead/spook128mu512v2/ref/COPYING 0 → 100644
Creative Commons Legal Code
CC0 1.0 Universal
CREATIVE COMMONS CORPORATION IS NOT A LAW FIRM AND DOES NOT PROVIDE
LEGAL SERVICES. DISTRIBUTION OF THIS DOCUMENT DOES NOT CREATE AN
ATTORNEY-CLIENT RELATIONSHIP. CREATIVE COMMONS PROVIDES THIS
INFORMATION ON AN "AS-IS" BASIS. CREATIVE COMMONS MAKES NO WARRANTIES
REGARDING THE USE OF THIS DOCUMENT OR THE INFORMATION OR WORKS
PROVIDED HEREUNDER, AND DISCLAIMS LIABILITY FOR DAMAGES RESULTING FROM
THE USE OF THIS DOCUMENT OR THE INFORMATION OR WORKS PROVIDED
HEREUNDER.
Statement of Purpose
The laws of most jurisdictions throughout the world automatically confer
exclusive Copyright and Related Rights (defined below) upon the creator
and subsequent owner(s) (each and all, an "owner") of an original work of
authorship and/or a database (each, a "Work").
Certain owners wish to permanently relinquish those rights to a Work for
the purpose of contributing to a commons of creative, cultural and
scientific works ("Commons") that the public can reliably and without fear
of later claims of infringement build upon, modify, incorporate in other
works, reuse and redistribute as freely as possible in any form whatsoever
and for any purposes, including without limitation commercial purposes.
These owners may contribute to the Commons to promote the ideal of a free
culture and the further production of creative, cultural and scientific
works, or to gain reputation or greater distribution for their Work in
part through the use and efforts of others.
For these and/or other purposes and motivations, and without any
expectation of additional consideration or compensation, the person
associating CC0 with a Work (the "Affirmer"), to the extent that he or she
is an owner of Copyright and Related Rights in the Work, voluntarily
elects to apply CC0 to the Work and publicly distribute the Work under its
terms, with knowledge of his or her Copyright and Related Rights in the
Work and the meaning and intended legal effect of CC0 on those rights.
1. Copyright and Related Rights. A Work made available under CC0 may be
protected by copyright and related or neighboring rights ("Copyright and
Related Rights"). Copyright and Related Rights include, but are not
limited to, the following:
i. the right to reproduce, adapt, distribute, perform, display,
communicate, and translate a Work;
ii. moral rights retained by the original author(s) and/or performer(s);
iii. publicity and privacy rights pertaining to a person's image or
likeness depicted in a Work;
iv. rights protecting against unfair competition in regards to a Work,
subject to the limitations in paragraph 4(a), below;
v. rights protecting the extraction, dissemination, use and reuse of data
in a Work;
vi. database rights (such as those arising under Directive 96/9/EC of the
European Parliament and of the Council of 11 March 1996 on the legal
protection of databases, and under any national implementation
thereof, including any amended or successor version of such
directive); and
vii. other similar, equivalent or corresponding rights throughout the
world based on applicable law or treaty, and any national
implementations thereof.
2. Waiver. To the greatest extent permitted by, but not in contravention
of, applicable law, Affirmer hereby overtly, fully, permanently,
irrevocably and unconditionally waives, abandons, and surrenders all of
Affirmer's Copyright and Related Rights and associated claims and causes
of action, whether now known or unknown (including existing as well as
future claims and causes of action), in the Work (i) in all territories
worldwide, (ii) for the maximum duration provided by applicable law or
treaty (including future time extensions), (iii) in any current or future
medium and for any number of copies, and (iv) for any purpose whatsoever,
including without limitation commercial, advertising or promotional
purposes (the "Waiver"). Affirmer makes the Waiver for the benefit of each
member of the public at large and to the detriment of Affirmer's heirs and
successors, fully intending that such Waiver shall not be subject to
revocation, rescission, cancellation, termination, or any other legal or
equitable action to disrupt the quiet enjoyment of the Work by the public
as contemplated by Affirmer's express Statement of Purpose.
3. Public License Fallback. Should any part of the Waiver for any reason
be judged legally invalid or ineffective under applicable law, then the
Waiver shall be preserved to the maximum extent permitted taking into
account Affirmer's express Statement of Purpose. In addition, to the
extent the Waiver is so judged Affirmer hereby grants to each affected
person a royalty-free, non transferable, non sublicensable, non exclusive,
irrevocable and unconditional license to exercise Affirmer's Copyright and
Related Rights in the Work (i) in all territories worldwide, (ii) for the
maximum duration provided by applicable law or treaty (including future
time extensions), (iii) in any current or future medium and for any number
of copies, and (iv) for any purpose whatsoever, including without
limitation commercial, advertising or promotional purposes (the
"License"). The License shall be deemed effective as of the date CC0 was
applied by Affirmer to the Work. Should any part of the License for any
reason be judged legally invalid or ineffective under applicable law, such
partial invalidity or ineffectiveness shall not invalidate the remainder
of the License, and in such case Affirmer hereby affirms that he or she
will not (i) exercise any of his or her remaining Copyright and Related
Rights in the Work or (ii) assert any associated claims and causes of
action with respect to the Work, in either case contrary to Affirmer's
express Statement of Purpose.
4. Limitations and Disclaimers.
a. No trademark or patent rights held by Affirmer are waived, abandoned,
surrendered, licensed or otherwise affected by this document.
b. Affirmer offers the Work as-is and makes no representations or
warranties of any kind concerning the Work, express, implied,
statutory or otherwise, including without limitation warranties of
title, merchantability, fitness for a particular purpose, non
infringement, or the absence of latent or other defects, accuracy, or
the present or absence of errors, whether or not discoverable, all to
the greatest extent permissible under applicable law.
c. Affirmer disclaims responsibility for clearing rights of other persons
that may apply to the Work or any use thereof, including without
limitation any person's Copyright and Related Rights in the Work.
Further, Affirmer disclaims responsibility for obtaining any necessary
consents, permissions or other rights required for any use of the
Work.
d. Affirmer understands and acknowledges that Creative Commons is not a
party to this document and has no duty or obligation with respect to
this CC0 or use of the Work.
spook/Implementations/crypto_aead/spook128mu512v2/ref/api.h 0 → 100644
#define CRYPTO_KEYBYTES 32
#define CRYPTO_NPUBBYTES 16
#define CRYPTO_NSECBYTES 0
#define CRYPTO_ABYTES 16
#define CRYPTO_NOOVERLAP 1
spook/Implementations/crypto_aead/spook128mu512v2/ref/crypto_aead.h 0 → 100644
int crypto_aead_encrypt(unsigned char* c, unsigned long long* clen,
const unsigned char* m, unsigned long long mlen,
const unsigned char* ad, unsigned long long adlen,
const unsigned char* nsec, const unsigned char* npub,
const unsigned char* k);
int crypto_aead_decrypt(unsigned char* m, unsigned long long* mlen,
unsigned char* nsec, const unsigned char* c,
unsigned long long clen, const unsigned char* ad,
unsigned long long adlen, const unsigned char* npub,
const unsigned char* k);
spook/Implementations/crypto_aead/spook128mu512v2/ref/encrypt.c 0 → 100644
/* Spook Reference Implementation v1
*
* Written in 2019 at UCLouvain (Belgium) by Olivier Bronchain, Gaetan Cassiers
* and Charles Momin.
* To the extent possible under law, the author(s) have dedicated all copyright
* and related and neighboring rights to this software to the public domain
* worldwide. This software is distributed without any warranty.
*
* You should have received a copy of the CC0 Public Domain Dedication along
* with this software. If not, see
* <http://creativecommons.org/publicdomain/zero/1.0/>.
*/
#include "crypto_aead.h"
#include "s1p.h"
#ifdef __GNUC__
#define UNUSED __attribute__((unused))
#else
#define UNUSED
#endif
// Spook encryption.
int
crypto_aead_encrypt(unsigned char* c,
unsigned long long* clen,
const unsigned char* m,
unsigned long long mlen,
const unsigned char* ad,
unsigned long long adlen,
const unsigned char* nsec UNUSED,
const unsigned char* npub,
const unsigned char* k)
{
unsigned char p[P_NBYTES];
const unsigned char* k_priv;
init_keys(&k_priv, p, k);
s1p_encrypt(c, clen, ad, adlen, m, mlen, k_priv, p, npub);
return 0;
}
// Spook encryption.
int
crypto_aead_decrypt(unsigned char* m,
unsigned long long* mlen,
unsigned char* nsec UNUSED,
const unsigned char* c,
unsigned long long clen,
const unsigned char* ad,
unsigned long long adlen,
const unsigned char* npub,
const unsigned char* k)
{
unsigned char p[P_NBYTES];
const unsigned char* k_priv;
init_keys(&k_priv, p, k);
return s1p_decrypt(m, mlen, ad, adlen, c, clen, k_priv, p, npub);
}
spook/Implementations/crypto_aead/spook128mu512v2/ref/parameters.h 0 → 100644
/* Spook Reference Implementation v1
*
* Written in 2019 at UCLouvain (Belgium) by Olivier Bronchain, Gaetan Cassiers
* and Charles Momin.
* To the extent possible under law, the author(s) have dedicated all copyright
* and related and neighboring rights to this software to the public domain
* worldwide. This software is distributed without any warranty.
*
* You should have received a copy of the CC0 Public Domain Dedication along with
* this software. If not, see <http://creativecommons.org/publicdomain/zero/1.0/>.
*/
#ifndef _PARAMETERS_H_
#define _PARAMETERS_H_
#define MULTI_USER 1
#define SMALL_PERM 0
#if MULTI_USER
#define KEYBYTES 32
#else
#define KEYBYTES 16
#endif
#include "api.h"
#if (KEYBYTES != CRYPTO_KEYBYTES)
#error "Wrong parameters in api.h"
#endif
#endif //_PARAMETERS_H_
spook/Implementations/crypto_aead/spook128mu512v2/ref/primitives.h 0 → 100644
/* Spook Reference Implementation v1
*
* Written in 2019 at UCLouvain (Belgium) by Olivier Bronchain, Gaetan Cassiers
* and Charles Momin.
* To the extent possible under law, the author(s) have dedicated all copyright
* and related and neighboring rights to this software to the public domain
* worldwide. This software is distributed without any warranty.
*
* You should have received a copy of the CC0 Public Domain Dedication along
* with this software. If not, see
* <http://creativecommons.org/publicdomain/zero/1.0/>.
*/
#ifndef _H_PRIMITIVES_H_
#define _H_PRIMITIVES_H_
#include "parameters.h"
#define CLYDE128_NBYTES 16
#if SMALL_PERM
#define SHADOW_NBYTES 48
#else
#define SHADOW_NBYTES 64
#endif // SMALL_PERM
void
clyde128_encrypt(unsigned char* c,
const unsigned char* m,
const unsigned char* t,
const unsigned char* k);
void
clyde128_decrypt(unsigned char* m,
const unsigned char* c,
const unsigned char* t,
const unsigned char* k);
void
shadow(unsigned char* x);
#endif //_H_PRIMITIVES_H_
spook/Implementations/crypto_aead/spook128mu512v2/ref/s1p.c 0 → 100644
/* Spook Reference Implementation v1
*
* Written in 2019 at UCLouvain (Belgium) by Olivier Bronchain, Gaetan Cassiers
* and Charles Momin.
* To the extent possible under law, the author(s) have dedicated all copyright
* and related and neighboring rights to this software to the public domain
* worldwide. This software is distributed without any warranty.
*
* You should have received a copy of the CC0 Public Domain Dedication along with
* this software. If not, see <http://creativecommons.org/publicdomain/zero/1.0/>.
*/
#include <stdlib.h>
#include <string.h>
#include <stdint.h>
#include "s1p.h"
#include "parameters.h"
#include "primitives.h"
#include "utils.h"
#define CAPACITY_BYTES 32
#define RATE_BYTES (SHADOW_NBYTES - CAPACITY_BYTES)
// Working mode for block compression.
typedef enum {
AD,
PLAINTEXT,
CIPHERTEXT
} compress_mode;
static void compress_block(unsigned char *state, unsigned char *out,
const unsigned char *d, compress_mode mode,
unsigned long long offset, unsigned long long n);
static unsigned long long compress_data(unsigned char *state,
unsigned char *out,
const unsigned char *d,
unsigned long long dlen,
compress_mode mode);
static void init_sponge_state(unsigned char state[SHADOW_NBYTES],
const unsigned char *k, const unsigned char *p,
const unsigned char *n);
void init_keys(const unsigned char **k, unsigned char p[P_NBYTES],
const unsigned char *k_glob) {
*k = k_glob;
#if MULTI_USER
memcpy(p, k_glob + CLYDE128_NBYTES, P_NBYTES);
p[P_NBYTES - 1] &= 0x7F; // set last p bit to 0
p[P_NBYTES - 1] |= 0x40; // set next to last p bit to 0
#else
memset(p, 0, P_NBYTES);
#endif // MULTI_USER
}
static void init_sponge_state(unsigned char state[SHADOW_NBYTES],
const unsigned char *k, const unsigned char *p,
const unsigned char *n) {
// init state
memset(state, 0, SHADOW_NBYTES);
memcpy(state + CLYDE128_NBYTES, p, P_NBYTES);
memcpy(state + CLYDE128_NBYTES + P_NBYTES, n, CRYPTO_NPUBBYTES);
// TBC
unsigned char padded_nonce[CLYDE128_NBYTES] = { 0 };
memcpy(padded_nonce, n, CRYPTO_NPUBBYTES);
unsigned char *b = state;
clyde128_encrypt(b, padded_nonce, p, k);
// initial permutation
shadow(state);
}
void s1p_encrypt(unsigned char *c, unsigned long long *clen,
const unsigned char *ad, unsigned long long adlen,
const unsigned char *m, unsigned long long mlen,
const unsigned char *k, const unsigned char *p,
const unsigned char *n) {
// permutation state
unsigned char state[SHADOW_NBYTES];
init_sponge_state(state, k, p, n);
// compress associated data
compress_data(state, NULL, ad, adlen, AD);
// compress message
unsigned long long c_bytes = 0;
if (mlen > 0) {
state[RATE_BYTES] ^= 0x01;
c_bytes = compress_data(state, c, m, mlen, PLAINTEXT);
}
// tag
state[CLYDE128_NBYTES + CLYDE128_NBYTES - 1] |= 0x80;
clyde128_encrypt(c + c_bytes, state, state + CLYDE128_NBYTES, k);
*clen = c_bytes + CLYDE128_NBYTES;
}
int s1p_decrypt(unsigned char *m, unsigned long long *mlen,
const unsigned char *ad, unsigned long long adlen,
const unsigned char *c, unsigned long long clen,
const unsigned char *k, const unsigned char *p,
const unsigned char *n) {
// permutation state
unsigned char state[SHADOW_NBYTES];
init_sponge_state(state, k, p, n);
// compress associated data
compress_data(state, NULL, ad, adlen, AD);
// compress message
unsigned long long m_bytes = 0;
if (clen > CLYDE128_NBYTES) {
state[RATE_BYTES] ^= 0x01;
m_bytes = compress_data(state, m, c, clen - CLYDE128_NBYTES, CIPHERTEXT);
}
// NOTE: We use here so-called "inverse-based tag verification",
// that is, we apply the inverse Clyde TBC to the tag extracted from
// the ciphertext and check the result against the output of Shadow.
// This way of verifying the tag is interesting in some specific cases
// such as side-channel protected implementations.
// In general implementations, the tag verification SHOULD be done in a
// more conventional way: encrypting the output of Shadow with Clyde and
// verifying the tag against the resulting value.
// This is more efficient as it does not require to implement the inverse
// Clyde.
// For more details, see the Spook specification at https://spook.dev.
unsigned char inv_tag[CLYDE128_NBYTES];
unsigned char *u = state;
state[(2 * CLYDE128_NBYTES) - 1] |= 0x80;
clyde128_decrypt(inv_tag, c + m_bytes, state + CLYDE128_NBYTES, k);
int tag_ok = 1;
for (int i = 0; i < CLYDE128_NBYTES; i++) {
tag_ok &= (u[i] == inv_tag[i]);
}
if (tag_ok) {
*mlen = m_bytes;
return 0;
} else {
// Reset output buffer to avoid unintended unauthenticated plaintext
// release.
memset(m, 0, clen - CLYDE128_NBYTES);
*mlen = 0;
return -1;
}
}
// Compress a block into the state. Length of the block is n and buffers are
// accessed starting at offset. Input block is d, output is written into
// buffer out if mode is PLAINTEXT or CIPHERTEXT.
// Only the XOR operation is performed, not XORing of padding constants.
static void compress_block(unsigned char *state, unsigned char *out,
const unsigned char *d, compress_mode mode,
unsigned long long offset, unsigned long long n) {
if (mode == CIPHERTEXT) {
xor_bytes(out + offset, state, d + offset, n);
memcpy(state, d + offset, n);
} else {
xor_bytes(state, state, d + offset, n);
if (mode == PLAINTEXT) {
memcpy(out + offset, state, n);
}
}
}
// Compress a block into the state (in duplex-sponge mode).
// Input data buffer is d with length dlen.
// Output is written into buffer out if mode is PLAINTEXT or CIPHERTEXT.
// Padding is handled if needed.
static unsigned long long compress_data(unsigned char *state,
unsigned char *out,
const unsigned char *d,
unsigned long long dlen,
compress_mode mode) {
unsigned long long i;
for (i = 0; i < dlen / RATE_BYTES; i++) {
compress_block(state, out, d, mode, i * RATE_BYTES, RATE_BYTES);
shadow(state);
}
int rem = dlen % RATE_BYTES;
if (rem != 0) {
compress_block(state, out, d, mode, i * RATE_BYTES, rem);
state[rem] ^= 0x01;
state[RATE_BYTES] ^= 0x02;
shadow(state);
}
return i * RATE_BYTES + rem;
}
spook/Implementations/crypto_aead/spook128mu512v2/ref/s1p.h 0 → 100644
/* Spook Reference Implementation v1
*
* Written in 2019 at UCLouvain (Belgium) by Olivier Bronchain, Gaetan Cassiers
* and Charles Momin.
* To the extent possible under law, the author(s) have dedicated all copyright
* and related and neighboring rights to this software to the public domain
* worldwide. This software is distributed without any warranty.
*
* You should have received a copy of the CC0 Public Domain Dedication along with
* this software. If not, see <http://creativecommons.org/publicdomain/zero/1.0/>.
*/
#ifndef _H_S1P_H_
#define _H_S1P_H_
#include "parameters.h"
// Size of the P parameter
#define P_NBYTES 16
void s1p_encrypt(unsigned char *c, unsigned long long *clen,
const unsigned char *ad, unsigned long long adlen,
const unsigned char *m, unsigned long long mlen,
const unsigned char *k, const unsigned char *p,
const unsigned char *n);
int s1p_decrypt(unsigned char *m, unsigned long long *mlen,
const unsigned char *ad, unsigned long long adlen,
const unsigned char *c, unsigned long long clen,
const unsigned char *k, const unsigned char *p,
const unsigned char *n);
void init_keys(const unsigned char **k, unsigned char p[P_NBYTES],
const unsigned char *k_glob);
#endif //_H_S1P_H_
spook/Implementations/crypto_aead/spook128mu512v2/ref/utils.c 0 → 100644
/* Spook Reference Implementation v1
*
* Written in 2019 at UCLouvain (Belgium) by Olivier Bronchain, Gaetan Cassiers
* and Charles Momin.
* To the extent possible under law, the author(s) have dedicated all copyright
* and related and neighboring rights to this software to the public domain
* worldwide. This software is distributed without any warranty.
*
* You should have received a copy of the CC0 Public Domain Dedication along
* with this software. If not, see
* <http://creativecommons.org/publicdomain/zero/1.0/>.
*/
#include <stdint.h>
#include "utils.h"
// XOR buffers src1 and src2 into buffer dest (all buffers contain n bytes).
void
xor_bytes(unsigned char* dest,
const unsigned char* src1,
const unsigned char* src2,
unsigned long long n)
{
for (unsigned long long i = 0; i < n; i++) {
dest[i] = src1[i] ^ src2[i];
}
}
// Rotate right x by amount c.
// We use right rotation of integers for the lboxes while the specification
// tells left rotation of bitstrings due to the bitsting -> integer
// little-endian mapping used in Spook.
uint32_t
rotr(uint32_t x, unsigned int c)
{
return (x >> c) | (x << (32 - c));
}
// Convert 4 bytes into a uint32. Bytes are in little-endian.
uint32_t
le32u_dec(const unsigned char bytes[4])
{
uint32_t res = 0;
for (unsigned int col = 0; col < 4; col++) {
res |= ((uint32_t)bytes[col]) << 8 * col;
}
return res;
}
// Convert a uint32 into 4 bytes. Bytes are in little-endian.
void
le32u_enc(unsigned char bytes[4], uint32_t x)
{
for (unsigned int i = 0; i < 4; i++) {
bytes[i] = x >> 8 * i;
}
}
spook/Implementations/crypto_aead/spook128mu512v2/ref/utils.h 0 → 100644
/* Spook Reference Implementation v1
*
* Written in 2019 at UCLouvain (Belgium) by Olivier Bronchain, Gaetan Cassiers
* and Charles Momin.
* To the extent possible under law, the author(s) have dedicated all copyright
* and related and neighboring rights to this software to the public domain
* worldwide. This software is distributed without any warranty.
*
* You should have received a copy of the CC0 Public Domain Dedication along
* with this software. If not, see
* <http://creativecommons.org/publicdomain/zero/1.0/>.
*/
#ifndef _H_UTILS_H_
#define _H_UTILS_H_
#include <stdint.h>
void
xor_bytes(unsigned char* dest,
const unsigned char* src1,
const unsigned char* src2,
unsigned long long n);
uint32_t
rotr(uint32_t x, unsigned int c);
uint32_t
le32u_dec(const unsigned char bytes[4]);
void
le32u_enc(unsigned char bytes[4], uint32_t x);
#endif // _H_UTILS_H_
spook/Implementations/crypto_aead/spook128su384v2/LWC_AEAD_KAT_128_128.txt 0 → 100644
This source diff could not be displayed because it is too large. You can view the blob instead.
spook/Implementations/crypto_aead/spook128su384v2/opt_c/COPYING 0 → 100644
Creative Commons Legal Code
CC0 1.0 Universal
CREATIVE COMMONS CORPORATION IS NOT A LAW FIRM AND DOES NOT PROVIDE
LEGAL SERVICES. DISTRIBUTION OF THIS DOCUMENT DOES NOT CREATE AN
ATTORNEY-CLIENT RELATIONSHIP. CREATIVE COMMONS PROVIDES THIS
INFORMATION ON AN "AS-IS" BASIS. CREATIVE COMMONS MAKES NO WARRANTIES
REGARDING THE USE OF THIS DOCUMENT OR THE INFORMATION OR WORKS
PROVIDED HEREUNDER, AND DISCLAIMS LIABILITY FOR DAMAGES RESULTING FROM
THE USE OF THIS DOCUMENT OR THE INFORMATION OR WORKS PROVIDED
HEREUNDER.
Statement of Purpose
The laws of most jurisdictions throughout the world automatically confer
exclusive Copyright and Related Rights (defined below) upon the creator
and subsequent owner(s) (each and all, an "owner") of an original work of
authorship and/or a database (each, a "Work").
Certain owners wish to permanently relinquish those rights to a Work for
the purpose of contributing to a commons of creative, cultural and
scientific works ("Commons") that the public can reliably and without fear
of later claims of infringement build upon, modify, incorporate in other
works, reuse and redistribute as freely as possible in any form whatsoever
and for any purposes, including without limitation commercial purposes.
These owners may contribute to the Commons to promote the ideal of a free
culture and the further production of creative, cultural and scientific
works, or to gain reputation or greater distribution for their Work in
part through the use and efforts of others.
For these and/or other purposes and motivations, and without any
expectation of additional consideration or compensation, the person
associating CC0 with a Work (the "Affirmer"), to the extent that he or she
is an owner of Copyright and Related Rights in the Work, voluntarily
elects to apply CC0 to the Work and publicly distribute the Work under its
terms, with knowledge of his or her Copyright and Related Rights in the
Work and the meaning and intended legal effect of CC0 on those rights.
1. Copyright and Related Rights. A Work made available under CC0 may be
protected by copyright and related or neighboring rights ("Copyright and
Related Rights"). Copyright and Related Rights include, but are not
limited to, the following:
i. the right to reproduce, adapt, distribute, perform, display,
communicate, and translate a Work;
ii. moral rights retained by the original author(s) and/or performer(s);
iii. publicity and privacy rights pertaining to a person's image or
likeness depicted in a Work;
iv. rights protecting against unfair competition in regards to a Work,
subject to the limitations in paragraph 4(a), below;
v. rights protecting the extraction, dissemination, use and reuse of data
in a Work;
vi. database rights (such as those arising under Directive 96/9/EC of the
European Parliament and of the Council of 11 March 1996 on the legal
protection of databases, and under any national implementation
thereof, including any amended or successor version of such
directive); and
vii. other similar, equivalent or corresponding rights throughout the
world based on applicable law or treaty, and any national
implementations thereof.
2. Waiver. To the greatest extent permitted by, but not in contravention
of, applicable law, Affirmer hereby overtly, fully, permanently,
irrevocably and unconditionally waives, abandons, and surrenders all of
Affirmer's Copyright and Related Rights and associated claims and causes
of action, whether now known or unknown (including existing as well as
future claims and causes of action), in the Work (i) in all territories
worldwide, (ii) for the maximum duration provided by applicable law or
treaty (including future time extensions), (iii) in any current or future
medium and for any number of copies, and (iv) for any purpose whatsoever,
including without limitation commercial, advertising or promotional
purposes (the "Waiver"). Affirmer makes the Waiver for the benefit of each
member of the public at large and to the detriment of Affirmer's heirs and
successors, fully intending that such Waiver shall not be subject to
revocation, rescission, cancellation, termination, or any other legal or
equitable action to disrupt the quiet enjoyment of the Work by the public
as contemplated by Affirmer's express Statement of Purpose.
3. Public License Fallback. Should any part of the Waiver for any reason
be judged legally invalid or ineffective under applicable law, then the
Waiver shall be preserved to the maximum extent permitted taking into
account Affirmer's express Statement of Purpose. In addition, to the
extent the Waiver is so judged Affirmer hereby grants to each affected
person a royalty-free, non transferable, non sublicensable, non exclusive,
irrevocable and unconditional license to exercise Affirmer's Copyright and
Related Rights in the Work (i) in all territories worldwide, (ii) for the
maximum duration provided by applicable law or treaty (including future
time extensions), (iii) in any current or future medium and for any number
of copies, and (iv) for any purpose whatsoever, including without
limitation commercial, advertising or promotional purposes (the
"License"). The License shall be deemed effective as of the date CC0 was
applied by Affirmer to the Work. Should any part of the License for any
reason be judged legally invalid or ineffective under applicable law, such
partial invalidity or ineffectiveness shall not invalidate the remainder
of the License, and in such case Affirmer hereby affirms that he or she
will not (i) exercise any of his or her remaining Copyright and Related
Rights in the Work or (ii) assert any associated claims and causes of
action with respect to the Work, in either case contrary to Affirmer's
express Statement of Purpose.
4. Limitations and Disclaimers.
a. No trademark or patent rights held by Affirmer are waived, abandoned,
surrendered, licensed or otherwise affected by this document.
b. Affirmer offers the Work as-is and makes no representations or
warranties of any kind concerning the Work, express, implied,
statutory or otherwise, including without limitation warranties of
title, merchantability, fitness for a particular purpose, non
infringement, or the absence of latent or other defects, accuracy, or
the present or absence of errors, whether or not discoverable, all to
the greatest extent permissible under applicable law.
c. Affirmer disclaims responsibility for clearing rights of other persons
that may apply to the Work or any use thereof, including without
limitation any person's Copyright and Related Rights in the Work.
Further, Affirmer disclaims responsibility for obtaining any necessary
consents, permissions or other rights required for any use of the
Work.
d. Affirmer understands and acknowledges that Creative Commons is not a
party to this document and has no duty or obligation with respect to
this CC0 or use of the Work.
spook/Implementations/crypto_aead/spook128su384v2/opt_c/api.h 0 → 100644
#include "parameters.h"
#define CRYPTO_KEYBYTES KEYBYTES
#define CRYPTO_NPUBBYTES 16
#define CRYPTO_NSECBYTES 0
#define CRYPTO_ABYTES 16
#define CRYPTO_NOOVERLAP 1
spook/Implementations/crypto_aead/spook128su384v2/opt_c/clyde_32bit.c 0 → 100644
/* MIT License
*
* Copyright (c) 2019 Gaëtan Cassiers Olivier Bronchain
*
* Permission is hereby granted, free of charge, to any person obtaining a copy
* of this software and associated documentation files (the "Software"), to deal
* in the Software without restriction, including without limitation the rights
* to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
* copies of the Software, and to permit persons to whom the Software is
* furnished to do so, subject to the following conditions:
*
* The above copyright notice and this permission notice shall be included in all
* copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
* IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
* AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
* LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
* OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
* SOFTWARE.
*/
#include <string.h>
#include <stdint.h>
#include "primitives.h"
#include "primitives.c"
#define CLYDE_128_NS 6 // Number of steps
#define CLYDE_128_NR 2 * CLYDE_128_NS // Number of rounds
#define XORLS(DEST, OP) do { \
(DEST)[0] ^= (OP)[0]; \
(DEST)[1] ^= (OP)[1]; \
(DEST)[2] ^= (OP)[2]; \
(DEST)[3] ^= (OP)[3]; } while (0)
#define XORCST(DEST, LFSR) do { \
(DEST)[0] ^= ((LFSR)>>3 & 0x1); \
(DEST)[1] ^= ((LFSR)>>2 & 0x1); \
(DEST)[2] ^= ((LFSR)>>1 & 0x1); \
(DEST)[3] ^= ((LFSR) & 0x1); } while (0)
void clyde128_encrypt(clyde128_state state, const clyde128_state t, const unsigned char* k) {
// Key schedule
clyde128_state k_st;
memcpy(k_st, k, CLYDE128_NBYTES);
clyde128_state tk[3] = {
{ t[0], t[1], t[2], t[3] },
{ t[0] ^ t[2], t[1] ^ t[3], t[0], t[1] },
{ t[2], t[3], t[0] ^ t[2], t[1] ^ t[3] }
};
XORLS(tk[0], k_st);
XORLS(tk[1], k_st);
XORLS(tk[2], k_st);
// Datapath
XORLS(state, tk[0]);
uint32_t off = 0x924; // 2-bits describing the round key
uint32_t lfsr = 0x8; // LFSR for round constant
for (uint32_t s = 0; s < CLYDE_128_NS; s++) {
sbox_layer(state);
lbox(&state[0], &state[1]);
lbox(&state[2], &state[3]);
XORCST(state,lfsr);
uint32_t b = lfsr & 0x1;
lfsr = (lfsr^(b<<3) | b<<4)>>1; // update LFSR
sbox_layer(state);
lbox(&state[0], &state[1]);
lbox(&state[2], &state[3]);
XORCST(state,lfsr);
b = lfsr & 0x1;
lfsr = (lfsr^(b<<3) | b<<4)>>1; // update LFSR
off >>=2;
XORLS(state, tk[off&0x03]);
}
}
spook/Implementations/crypto_aead/spook128su384v2/opt_c/crypto_aead.h 0 → 100644
int crypto_aead_encrypt(unsigned char* c, unsigned long long* clen,
const unsigned char* m, unsigned long long mlen,
const unsigned char* ad, unsigned long long adlen,
const unsigned char* nsec, const unsigned char* npub,
const unsigned char* k);
int crypto_aead_decrypt(unsigned char* m, unsigned long long* mlen,
unsigned char* nsec, const unsigned char* c,
unsigned long long clen, const unsigned char* ad,
unsigned long long adlen, const unsigned char* npub,
const unsigned char* k);
spook/Implementations/crypto_aead/spook128su384v2/opt_c/encrypt.c 0 → 100644
/* Spook Reference Implementation v1
*
* Written in 2019 at UCLouvain (Belgium) by Olivier Bronchain, Gaetan Cassiers
* and Charles Momin.
* To the extent possible under law, the author(s) have dedicated all copyright
* and related and neighboring rights to this software to the public domain
* worldwide. This software is distributed without any warranty.
*
* You should have received a copy of the CC0 Public Domain Dedication along with
* this software. If not, see <http://creativecommons.org/publicdomain/zero/1.0/>.
*/
#include "crypto_aead.h"
#include "s1p.h"
#ifdef __GNUC__
#define UNUSED __attribute__((unused))
#else
#define UNUSED
#endif
// Spook encryption.
int crypto_aead_encrypt(unsigned char* c, unsigned long long* clen,
const unsigned char* m, unsigned long long mlen,
const unsigned char* ad, unsigned long long adlen,
const unsigned char* nsec UNUSED,
const unsigned char* npub, const unsigned char* k) {
unsigned char p[P_NBYTES];
const unsigned char* k_priv;
init_keys(&k_priv, p, k);
s1p_encrypt(c, clen, ad, adlen, m, mlen, k_priv, p, npub);
return 0;
}
// Spook encryption.
int crypto_aead_decrypt(unsigned char* m, unsigned long long* mlen,
unsigned char* nsec UNUSED, const unsigned char* c,
unsigned long long clen, const unsigned char* ad,
unsigned long long adlen, const unsigned char* npub,
const unsigned char* k) {
unsigned char p[P_NBYTES];
const unsigned char* k_priv;
init_keys(&k_priv, p, k);
return s1p_decrypt(m, mlen, ad, adlen, c, clen, k_priv, p, npub);
}
spook/Implementations/crypto_aead/spook128su384v2/opt_c/iacaMarks.h 0 → 100644
/*
* Copyright (2008-2009) Intel Corporation All Rights Reserved.
* The source code contained or described herein and all documents
* related to the source code ("Material") are owned by Intel Corporation
* or its suppliers or licensors. Title to the Material remains with
* Intel Corporation or its suppliers and licensors. The Material
* contains trade secrets and proprietary and confidential information
* of Intel or its suppliers and licensors. The Material is protected
* by worldwide copyright and trade secret laws and treaty provisions.
* No part of the Material may be used, copied, reproduced, modified,
* published, uploaded, posted, transmitted, distributed, or disclosed
* in any way without Intel(R)s prior express written permission.
*
* No license under any patent, copyright, trade secret or other
* intellectual property right is granted to or conferred upon you by
* disclosure or delivery of the Materials, either expressly, by implication,
* inducement, estoppel or otherwise. Any license under such intellectual
* property rights must be express and approved by Intel in writing.
*/
#if defined (__GNUC__)
#define IACA_SSC_MARK( MARK_ID ) \
__asm__ __volatile__ ( \
"\n\t movl $"#MARK_ID", %%ebx" \
"\n\t .byte 0x64, 0x67, 0x90" \
: : : "memory" );
#else
#define IACA_SSC_MARK(x) {__asm mov ebx, x\
__asm _emit 0x64 \
__asm _emit 0x67 \
__asm _emit 0x90 }
#endif
#define IACA_START {IACA_SSC_MARK(111)}
#define IACA_END {IACA_SSC_MARK(222)}
#ifdef _WIN64
#include <intrin.h>
#define IACA_VC64_START __writegsbyte(111, 111);
#define IACA_VC64_END __writegsbyte(222, 222);
#endif
/**************** asm *****************
;START_MARKER
mov ebx, 111
db 0x64, 0x67, 0x90
;END_MARKER
mov ebx, 222
db 0x64, 0x67, 0x90
**************************************/
spook/Implementations/crypto_aead/spook128su384v2/opt_c/parameters.h 0 → 100644
/* Spook Reference Implementation v1
*
* Written in 2019 at UCLouvain (Belgium) by Olivier Bronchain, Gaetan Cassiers
* and Charles Momin.
* To the extent possible under law, the author(s) have dedicated all copyright
* and related and neighboring rights to this software to the public domain
* worldwide. This software is distributed without any warranty.
*
* You should have received a copy of the CC0 Public Domain Dedication along with
* this software. If not, see <http://creativecommons.org/publicdomain/zero/1.0/>.
*/
#ifndef _PARAMETERS_H_
#define _PARAMETERS_H_
#define MULTI_USER 0
#define SMALL_PERM 1
#if MULTI_USER
#define KEYBYTES 32
#else
#define KEYBYTES 16
#endif
#include "api.h"
#if (KEYBYTES != CRYPTO_KEYBYTES)
#error "Wrong parameters in api.h"
#endif
#endif //_PARAMETERS_H_
spook/Implementations/crypto_aead/spook128su384v2/opt_c/primitives.c 0 → 100644
#include "primitives.h"
#ifdef SHADOW
static uint32_t lfsr_poly;
static uint32_t xtime_poly;
#endif
// Apply a S-box layer to a Clyde-128 state.
static void sbox_layer(uint32_t* state) {
uint32_t y1 = (state[0] & state[1]) ^ state[2];
uint32_t y0 = (state[3] & state[0]) ^ state[1];
uint32_t y3 = (y1 & state[3]) ^ state[0];
uint32_t y2 = (y0 & y1) ^ state[3];
state[0] = y0;
state[1] = y1;
state[2] = y2;
state[3] = y3;
}
// Apply a L-box to a pair of Clyde-128 rows.
static void lbox(uint32_t* x, uint32_t* y) {
uint32_t a, b, c, d;
a = *x ^ ROT32(*x, 12);
b = *y ^ ROT32(*y, 12);
a = a ^ ROT32(a, 3);
b = b ^ ROT32(b, 3);
a = a ^ ROT32(*x, 17);
b = b ^ ROT32(*y, 17);
c = a ^ ROT32(a, 31);
d = b ^ ROT32(b, 31);
a = a ^ ROT32(d, 26);
b = b ^ ROT32(c, 25);
a = a ^ ROT32(c, 15);
b = b ^ ROT32(d, 15);
*x = a;
*y = b;
}
#ifdef SHADOW
void set_poly_lfsr(uint32_t l){
lfsr_poly = l;
}
void set_poly_xtime(uint32_t l){
xtime_poly = l;
}
static uint32_t update_lfsr(uint32_t x) {
int32_t tmp1 = x;
uint32_t tmp = (tmp1 >>31) & lfsr_poly;
return (x<<1) ^ tmp;
}
static uint32_t xtime(uint32_t x) {
int32_t tmp1 = x;
uint32_t tmp = (tmp1 >>31) & xtime_poly;
return (x<<1) ^ tmp;
}
// Apply a D-box layer to a Shadow state.
static void dbox_mls_layer(shadow_state state,uint32_t *lfsr) {
for (unsigned int row = 0; row < LS_ROWS; row++) {
#if SMALL_PERM
uint32_t x1 = state[0][row];
uint32_t x2 = state[1][row];
uint32_t x3 = state[2][row];
uint32_t a = x1 ^ x3;
uint32_t b = a ^ x2;
uint32_t c = xtime(a) ^ (x1 ^ x2);
state[0][row] = a ^ c;
state[1][row] = b;
state[2][row] = c;
state[0][row] ^= *lfsr;
*lfsr = update_lfsr(*lfsr);
#else
state[0][row] ^= state[1][row];
state[2][row] ^= state[3][row];
state[1][row] ^= state[2][row];
state[3][row] ^= xtime(state[0][row]);
state[2][row] ^= xtime(state[3][row]);
state[1][row] = xtime(state[1][row]);
state[0][row] ^= state[1][row];
state[3][row] ^= state[0][row];
state[1][row] ^= state[2][row];
state[0][row] ^= *lfsr;
*lfsr = update_lfsr(*lfsr);
#endif // SMALL_PERM
}
}
#endif
spook/Implementations/crypto_aead/spook128su384v2/opt_c/primitives.h 0 → 100644
/* Spook Reference Implementation v1
*
* Written in 2019 at UCLouvain (Belgium) by Olivier Bronchain, Gaetan Cassiers
* and Charles Momin.
* To the extent possible under law, the author(s) have dedicated all copyright
* and related and neighboring rights to this software to the public domain
* worldwide. This software is distributed without any warranty.
*
* You should have received a copy of the CC0 Public Domain Dedication along with
* this software. If not, see <http://creativecommons.org/publicdomain/zero/1.0/>.
*/
#ifndef _H_PRIMITIVES_H_
#define _H_PRIMITIVES_H_
#include <stdint.h>
#include "parameters.h"
#define CLYDE128_NBYTES 16
#define ROTL(x, n) ((x << n) | (x >> ((32-n) & 31)))
#ifndef SHCST
#define SHCST 1
#endif
#ifndef DBOX
#define DBOX 1
#endif
#if SMALL_PERM
#define SHADOW_NBYTES 48
#else
#define SHADOW_NBYTES 64
#endif // SMALL_PERM
#define LS_ROWS 4 // Rows in the LS design
#define LS_ROW_BYTES 4 // number of bytes per row in the LS design
#define MLS_BUNDLES \
(SHADOW_NBYTES / (LS_ROWS* LS_ROW_BYTES)) // Bundles in the mLS design
#define ROT32(x,n) ((uint32_t)(((x)>>(n))|((x)<<(32-(n)))))
typedef __attribute__((aligned(16))) uint32_t clyde128_state[LS_ROWS];
typedef __attribute__((aligned(64))) clyde128_state shadow_state[MLS_BUNDLES];
void clyde128_encrypt(clyde128_state state,
const clyde128_state t, const unsigned char* k);
void shadow(shadow_state state);
static void sbox_layer(uint32_t* state);
static void dbox_mls_layer(shadow_state state,uint32_t *lfsr);
static void lbox(uint32_t* x, uint32_t* y);
#endif //_H_PRIMITIVES_H_
spook/Implementations/crypto_aead/spook128su384v2/opt_c/s1p.c 0 → 100644
/* MIT License
*
* Copyright (c) 2019 Gaëtan Cassiers
*
* Permission is hereby granted, free of charge, to any person obtaining a copy
* of this software and associated documentation files (the "Software"), to deal
* in the Software without restriction, including without limitation the rights
* to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
* copies of the Software, and to permit persons to whom the Software is
* furnished to do so, subject to the following conditions:
*
* The above copyright notice and this permission notice shall be included in all
* copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
* IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
* AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
* LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
* OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
* SOFTWARE.
*/
#include <stdlib.h>
#include <string.h>
#include <stdint.h>
#include "primitives.h"
#include "s1p.h"
#include "parameters.h"
#define CAPACITY_BYTES 32
#define RATE_BYTES (SHADOW_NBYTES - CAPACITY_BYTES)
#define RATE_BUNDLES (RATE_BYTES/(LS_ROWS*LS_ROW_BYTES))
// Working mode for block compression.
typedef enum {
AD,
PLAINTEXT,
CIPHERTEXT
} compress_mode;
static void compress_block(unsigned char *state, unsigned char *out,
const unsigned char *d, compress_mode mode,
unsigned long long offset, unsigned long long n);
static unsigned long long compress_data(shadow_state state,
unsigned char *out,
const unsigned char *d,
unsigned long long dlen,
compress_mode mode);
static void init_sponge_state(shadow_state state,
const unsigned char *k, const unsigned char *p,
const unsigned char *n);
static void xor_bytes(unsigned char* dest, const unsigned char* src1,
const unsigned char* src2, unsigned long long n);
void init_keys(const unsigned char **k, unsigned char p[P_NBYTES],
const unsigned char *k_glob) {
*k = k_glob;
#if MULTI_USER
memcpy(p, k_glob + CLYDE128_NBYTES, P_NBYTES);
p[P_NBYTES - 1] &= 0x7F; // set last p bit to 0
p[P_NBYTES - 1] |= 0x40; // set next to last p bit to 0
#else
memset(p, 0, P_NBYTES);
#endif // MULTI_USER
}
static void init_sponge_state(shadow_state state,
const unsigned char *k, const unsigned char *p,
const unsigned char *n) {
// init state
memset(state, 0, SHADOW_NBYTES);
memcpy(state[0], n, P_NBYTES);
memcpy(state[1], p, CRYPTO_NPUBBYTES);
memcpy(state[2], n, CRYPTO_NPUBBYTES);
clyde128_encrypt(state[0], state[1], k);
// initial permutation
shadow(state);
}
void s1p_encrypt(unsigned char *c, unsigned long long *clen,
const unsigned char *ad, unsigned long long adlen,
const unsigned char *m, unsigned long long mlen,
const unsigned char *k, const unsigned char *p,
const unsigned char *n) {
// permutation state
shadow_state state;
init_sponge_state(state, k, p, n);
// compress associated data
compress_data(state, NULL, ad, adlen, AD);
// compress message
unsigned long long c_bytes = 0;
if (mlen > 0) {
state[RATE_BUNDLES][0] ^= 0x01;
c_bytes = compress_data(state, c, m, mlen, PLAINTEXT);
}
// tag
state[1][LS_ROWS- 1] |= 0x80000000;
clyde128_encrypt(state[0], state[1], k);
memcpy(c+c_bytes, state[0], CLYDE128_NBYTES);
*clen = c_bytes + CLYDE128_NBYTES;
}
int s1p_decrypt(unsigned char *m, unsigned long long *mlen,
const unsigned char *ad, unsigned long long adlen,
const unsigned char *c, unsigned long long clen,
const unsigned char *k, const unsigned char *p,
const unsigned char *n) {
// permutation state
shadow_state state;
init_sponge_state(state, k, p, n);
// compress associated data
compress_data(state, NULL, ad, adlen, AD);
// compress message
unsigned long long m_bytes = 0;
if (clen > CLYDE128_NBYTES) {
state[RATE_BUNDLES][0] ^= 0x01;
m_bytes = compress_data(state, m, c, clen - CLYDE128_NBYTES, CIPHERTEXT);
}
// tag verification
state[1][LS_ROWS- 1] |= 0x80000000;
clyde128_encrypt(state[0], state[1], k);
unsigned char *st0 = (unsigned char *) state[0];
int tag_ok = 1;
for (int i = 0; i < 4*LS_ROWS; i++) {
tag_ok &= (st0[i] == c[m_bytes+i]);
}
if (tag_ok) {
*mlen = m_bytes;
return 0;
} else {
// Reset output buffer to avoid unintended unauthenticated plaintext
// release.
memset(m, 0, clen - CLYDE128_NBYTES);
*mlen = 0;
return -1;
}
}
// Compress a block into the state. Length of the block is n and buffers are
// accessed starting at offset. Input block is d, output is written into
// buffer out if mode is PLAINTEXT or CIPHERTEXT.
// Only the XOR operation is performed, not XORing of padding constants.
static void compress_block(unsigned char *state, unsigned char *out,
const unsigned char *d, compress_mode mode,
unsigned long long offset, unsigned long long n) {
if (mode == CIPHERTEXT) {
xor_bytes(out + offset, state, d + offset, n);
memcpy(state, d + offset, n);
} else {
xor_bytes(state, state, d + offset, n);
if (mode == PLAINTEXT) {
memcpy(out + offset, state, n);
}
}
}
// Compress a block into the state (in duplex-sponge mode).
// Input data buffer is d with length dlen.
// Output is written into buffer out if mode is PLAINTEXT or CIPHERTEXT.
// Padding is handled if needed.
static unsigned long long compress_data(shadow_state state,
unsigned char *out,
const unsigned char *d,
unsigned long long dlen,
compress_mode mode) {
unsigned long long i;
for (i = 0; i < dlen / RATE_BYTES; i++) {
compress_block((uint8_t *)state, out, d, mode, i * RATE_BYTES, RATE_BYTES);
shadow(state);
}
int rem = dlen % RATE_BYTES;
if (rem != 0) {
compress_block((uint8_t *)state, out, d, mode, i * RATE_BYTES, rem);
((uint8_t *)state)[rem] ^= 0x01;
((uint8_t *)state)[RATE_BYTES] ^= 0x02;
shadow(state);
}
return i * RATE_BYTES + rem;
}
// XOR buffers src1 and src2 into buffer dest (all buffers contain n bytes).
void xor_bytes(unsigned char* dest, const unsigned char* src1,
const unsigned char* src2, unsigned long long n) {
for ( unsigned long long i = 0; i < n; i++) {
dest[i] = src1[i] ^ src2[i];
}
}
spook/Implementations/crypto_aead/spook128su384v2/opt_c/s1p.h 0 → 100644
/* MIT License
*
* Copyright (c) 2019 Gaëtan Cassiers
*
* Permission is hereby granted, free of charge, to any person obtaining a copy
* of this software and associated documentation files (the "Software"), to deal
* in the Software without restriction, including without limitation the rights
* to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
* copies of the Software, and to permit persons to whom the Software is
* furnished to do so, subject to the following conditions:
*
* The above copyright notice and this permission notice shall be included in all
* copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
* IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
* AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
* LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
* OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
* SOFTWARE.
*/
#ifndef _H_S1P_H_
#define _H_S1P_H_
#include "parameters.h"
// Size of the P parameter
#define P_NBYTES 16
void s1p_encrypt(unsigned char *c, unsigned long long *clen,
const unsigned char *ad, unsigned long long adlen,
const unsigned char *m, unsigned long long mlen,
const unsigned char *k, const unsigned char *p,
const unsigned char *n);
int s1p_decrypt(unsigned char *m, unsigned long long *mlen,
const unsigned char *ad, unsigned long long adlen,
const unsigned char *c, unsigned long long clen,
const unsigned char *k, const unsigned char *p,
const unsigned char *n);
void init_keys(const unsigned char **k, unsigned char p[P_NBYTES],
const unsigned char *k_glob);
#endif //_H_S1P_H_
spook/Implementations/crypto_aead/spook128su384v2/opt_c/shadow_32bit.c 0 → 100644
/* MIT
*
* Copyright (c) 2019 Gaëtan Cassiers
*
* Permission is hereby granted, free of charge, to any person obtaining a copy
* of this software and associated documentation files (the "Software"), to deal
* in the Software without restriction, including without limitation the rights
* to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
* copies of the Software, and to permit persons to whom the Software is
* furnished to do so, subject to the following conditions:
*
* The above copyright notice and this permission notice shall be included in all
* copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
* IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
* AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
* LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
* OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
* SOFTWARE.
*/
#include <string.h>
#include <stdint.h>
#include "primitives.h"
#define SHADOW
#include "primitives.c"
#define CLYDE_128_NS 6 // Number of steps
#define CLYDE_128_NR 2 * CLYDE_128_NS // Number of rounds
#define SHADOW_NS 6 // Number of steps
#define SHADOW_NR 2 * SHADOW_NS // Number of roundsv
void shadow(shadow_state state) {
uint32_t lfsr =0xf8737400; // LFSR for round constant
set_poly_xtime(0x101);
set_poly_lfsr(0xc5);
for (unsigned int s = 0; s < SHADOW_NS; s++) {
#pragma GCC unroll 0
for (unsigned int b = 0; b < MLS_BUNDLES; b++){
sbox_layer(state[b]);
lbox(&state[b][0], &state[b][1]);
lbox(&state[b][2], &state[b][3]);
state[b][1] ^= lfsr;
lfsr = update_lfsr(lfsr);
sbox_layer(state[b]);
}
dbox_mls_layer(state,&lfsr);
}
}
spook/Implementations/crypto_aead/spook128su384v2/opt_c/utils.c 0 → 100644
/* Spook Reference Implementation v1
*
* Written in 2019 at UCLouvain (Belgium) by Olivier Bronchain, Gaetan Cassiers
* and Charles Momin.
* To the extent possible under law, the author(s) have dedicated all copyright
* and related and neighboring rights to this software to the public domain
* worldwide. This software is distributed without any warranty.
*
* You should have received a copy of the CC0 Public Domain Dedication along with
* this software. If not, see <http://creativecommons.org/publicdomain/zero/1.0/>.
*/
#include <stdint.h>
#include "utils.h"
// XOR buffers src1 and src2 into buffer dest (all buffers contain n bytes).
void xor_bytes(unsigned char* dest, const unsigned char* src1,
const unsigned char* src2, unsigned long long n) {
for (unsigned long long i = 0; i < n; i++) {
dest[i] = src1[i] ^ src2[i];
}
}
// Rotate right x by amount c.
// We use right rotation of integers for the lboxes while the specification
// tells left rotation of bitstrings due to the bitsting -> integer
// little-endian mapping used in Spook.
//uint32_t rotr(uint32_t x, unsigned int c) { return (x >> c) | (x << (32 - c)); }
// Convert 4 bytes into a uint32. Bytes are in little-endian.
uint32_t le32u_dec(const unsigned char bytes[4]) {
uint32_t res = 0;
for (unsigned int col = 0; col < 4; col++) {
res |= ((uint32_t)bytes[col]) << 8 * col;
}
return res;
}
// Convert a uint32 into 4 bytes. Bytes are in little-endian.
void le32u_enc(unsigned char bytes[4], uint32_t x) {
for (unsigned int i = 0; i < 4; i++) {
bytes[i] = x >> 8 * i;
}
}
spook/Implementations/crypto_aead/spook128su384v2/opt_c/utils.h 0 → 100644
/* Spook Reference Implementation v1
*
* Written in 2019 at UCLouvain (Belgium) by Olivier Bronchain, Gaetan Cassiers
* and Charles Momin.
* To the extent possible under law, the author(s) have dedicated all copyright
* and related and neighboring rights to this software to the public domain
* worldwide. This software is distributed without any warranty.
*
* You should have received a copy of the CC0 Public Domain Dedication along with
* this software. If not, see <http://creativecommons.org/publicdomain/zero/1.0/>.
*/
#ifndef _H_UTILS_H_
#define _H_UTILS_H_
#include <stdint.h>
void xor_bytes(unsigned char* dest, const unsigned char* src1,
const unsigned char* src2, unsigned long long n);
//uint32_t rotr(uint32_t x, unsigned int c);
uint32_t le32u_dec(const unsigned char bytes[4]);
void le32u_enc(unsigned char bytes[4], uint32_t x);
#endif // _H_UTILS_H_
spook/Implementations/crypto_aead/spook128su384v2/ref/COPYING 0 → 100644
Creative Commons Legal Code
CC0 1.0 Universal
CREATIVE COMMONS CORPORATION IS NOT A LAW FIRM AND DOES NOT PROVIDE
LEGAL SERVICES. DISTRIBUTION OF THIS DOCUMENT DOES NOT CREATE AN
ATTORNEY-CLIENT RELATIONSHIP. CREATIVE COMMONS PROVIDES THIS
INFORMATION ON AN "AS-IS" BASIS. CREATIVE COMMONS MAKES NO WARRANTIES
REGARDING THE USE OF THIS DOCUMENT OR THE INFORMATION OR WORKS
PROVIDED HEREUNDER, AND DISCLAIMS LIABILITY FOR DAMAGES RESULTING FROM
THE USE OF THIS DOCUMENT OR THE INFORMATION OR WORKS PROVIDED
HEREUNDER.
Statement of Purpose
The laws of most jurisdictions throughout the world automatically confer
exclusive Copyright and Related Rights (defined below) upon the creator
and subsequent owner(s) (each and all, an "owner") of an original work of
authorship and/or a database (each, a "Work").
Certain owners wish to permanently relinquish those rights to a Work for
the purpose of contributing to a commons of creative, cultural and
scientific works ("Commons") that the public can reliably and without fear
of later claims of infringement build upon, modify, incorporate in other
works, reuse and redistribute as freely as possible in any form whatsoever
and for any purposes, including without limitation commercial purposes.
These owners may contribute to the Commons to promote the ideal of a free
culture and the further production of creative, cultural and scientific
works, or to gain reputation or greater distribution for their Work in
part through the use and efforts of others.
For these and/or other purposes and motivations, and without any
expectation of additional consideration or compensation, the person
associating CC0 with a Work (the "Affirmer"), to the extent that he or she
is an owner of Copyright and Related Rights in the Work, voluntarily
elects to apply CC0 to the Work and publicly distribute the Work under its
terms, with knowledge of his or her Copyright and Related Rights in the
Work and the meaning and intended legal effect of CC0 on those rights.
1. Copyright and Related Rights. A Work made available under CC0 may be
protected by copyright and related or neighboring rights ("Copyright and
Related Rights"). Copyright and Related Rights include, but are not
limited to, the following:
i. the right to reproduce, adapt, distribute, perform, display,
communicate, and translate a Work;
ii. moral rights retained by the original author(s) and/or performer(s);
iii. publicity and privacy rights pertaining to a person's image or
likeness depicted in a Work;
iv. rights protecting against unfair competition in regards to a Work,
subject to the limitations in paragraph 4(a), below;
v. rights protecting the extraction, dissemination, use and reuse of data
in a Work;
vi. database rights (such as those arising under Directive 96/9/EC of the
European Parliament and of the Council of 11 March 1996 on the legal
protection of databases, and under any national implementation
thereof, including any amended or successor version of such
directive); and
vii. other similar, equivalent or corresponding rights throughout the
world based on applicable law or treaty, and any national
implementations thereof.
2. Waiver. To the greatest extent permitted by, but not in contravention
of, applicable law, Affirmer hereby overtly, fully, permanently,
irrevocably and unconditionally waives, abandons, and surrenders all of
Affirmer's Copyright and Related Rights and associated claims and causes
of action, whether now known or unknown (including existing as well as
future claims and causes of action), in the Work (i) in all territories
worldwide, (ii) for the maximum duration provided by applicable law or
treaty (including future time extensions), (iii) in any current or future
medium and for any number of copies, and (iv) for any purpose whatsoever,
including without limitation commercial, advertising or promotional
purposes (the "Waiver"). Affirmer makes the Waiver for the benefit of each
member of the public at large and to the detriment of Affirmer's heirs and
successors, fully intending that such Waiver shall not be subject to
revocation, rescission, cancellation, termination, or any other legal or
equitable action to disrupt the quiet enjoyment of the Work by the public
as contemplated by Affirmer's express Statement of Purpose.
3. Public License Fallback. Should any part of the Waiver for any reason
be judged legally invalid or ineffective under applicable law, then the
Waiver shall be preserved to the maximum extent permitted taking into
account Affirmer's express Statement of Purpose. In addition, to the
extent the Waiver is so judged Affirmer hereby grants to each affected
person a royalty-free, non transferable, non sublicensable, non exclusive,
irrevocable and unconditional license to exercise Affirmer's Copyright and
Related Rights in the Work (i) in all territories worldwide, (ii) for the
maximum duration provided by applicable law or treaty (including future
time extensions), (iii) in any current or future medium and for any number
of copies, and (iv) for any purpose whatsoever, including without
limitation commercial, advertising or promotional purposes (the
"License"). The License shall be deemed effective as of the date CC0 was
applied by Affirmer to the Work. Should any part of the License for any
reason be judged legally invalid or ineffective under applicable law, such
partial invalidity or ineffectiveness shall not invalidate the remainder
of the License, and in such case Affirmer hereby affirms that he or she
will not (i) exercise any of his or her remaining Copyright and Related
Rights in the Work or (ii) assert any associated claims and causes of
action with respect to the Work, in either case contrary to Affirmer's
express Statement of Purpose.
4. Limitations and Disclaimers.
a. No trademark or patent rights held by Affirmer are waived, abandoned,
surrendered, licensed or otherwise affected by this document.
b. Affirmer offers the Work as-is and makes no representations or
warranties of any kind concerning the Work, express, implied,
statutory or otherwise, including without limitation warranties of
title, merchantability, fitness for a particular purpose, non
infringement, or the absence of latent or other defects, accuracy, or
the present or absence of errors, whether or not discoverable, all to
the greatest extent permissible under applicable law.
c. Affirmer disclaims responsibility for clearing rights of other persons
that may apply to the Work or any use thereof, including without
limitation any person's Copyright and Related Rights in the Work.
Further, Affirmer disclaims responsibility for obtaining any necessary
consents, permissions or other rights required for any use of the
Work.
d. Affirmer understands and acknowledges that Creative Commons is not a
party to this document and has no duty or obligation with respect to
this CC0 or use of the Work.
spook/Implementations/crypto_aead/spook128su384v2/ref/api.h 0 → 100644
#define CRYPTO_KEYBYTES 16
#define CRYPTO_NPUBBYTES 16
#define CRYPTO_NSECBYTES 0
#define CRYPTO_ABYTES 16
#define CRYPTO_NOOVERLAP 1
spook/Implementations/crypto_aead/spook128su384v2/ref/crypto_aead.h 0 → 100644
int crypto_aead_encrypt(unsigned char* c, unsigned long long* clen,
const unsigned char* m, unsigned long long mlen,
const unsigned char* ad, unsigned long long adlen,
const unsigned char* nsec, const unsigned char* npub,
const unsigned char* k);
int crypto_aead_decrypt(unsigned char* m, unsigned long long* mlen,
unsigned char* nsec, const unsigned char* c,
unsigned long long clen, const unsigned char* ad,
unsigned long long adlen, const unsigned char* npub,
const unsigned char* k);
spook/Implementations/crypto_aead/spook128su384v2/ref/encrypt.c 0 → 100644
/* Spook Reference Implementation v1
*
* Written in 2019 at UCLouvain (Belgium) by Olivier Bronchain, Gaetan Cassiers
* and Charles Momin.
* To the extent possible under law, the author(s) have dedicated all copyright
* and related and neighboring rights to this software to the public domain
* worldwide. This software is distributed without any warranty.
*
* You should have received a copy of the CC0 Public Domain Dedication along
* with this software. If not, see
* <http://creativecommons.org/publicdomain/zero/1.0/>.
*/
#include "crypto_aead.h"
#include "s1p.h"
#ifdef __GNUC__
#define UNUSED __attribute__((unused))
#else
#define UNUSED
#endif
// Spook encryption.
int
crypto_aead_encrypt(unsigned char* c,
unsigned long long* clen,
const unsigned char* m,
unsigned long long mlen,
const unsigned char* ad,
unsigned long long adlen,
const unsigned char* nsec UNUSED,
const unsigned char* npub,
const unsigned char* k)
{
unsigned char p[P_NBYTES];
const unsigned char* k_priv;
init_keys(&k_priv, p, k);
s1p_encrypt(c, clen, ad, adlen, m, mlen, k_priv, p, npub);
return 0;
}
// Spook encryption.
int
crypto_aead_decrypt(unsigned char* m,
unsigned long long* mlen,
unsigned char* nsec UNUSED,
const unsigned char* c,
unsigned long long clen,
const unsigned char* ad,
unsigned long long adlen,
const unsigned char* npub,
const unsigned char* k)
{
unsigned char p[P_NBYTES];
const unsigned char* k_priv;
init_keys(&k_priv, p, k);
return s1p_decrypt(m, mlen, ad, adlen, c, clen, k_priv, p, npub);
}
spook/Implementations/crypto_aead/spook128su384v2/ref/parameters.h 0 → 100644
/* Spook Reference Implementation v1
*
* Written in 2019 at UCLouvain (Belgium) by Olivier Bronchain, Gaetan Cassiers
* and Charles Momin.
* To the extent possible under law, the author(s) have dedicated all copyright
* and related and neighboring rights to this software to the public domain
* worldwide. This software is distributed without any warranty.
*
* You should have received a copy of the CC0 Public Domain Dedication along with
* this software. If not, see <http://creativecommons.org/publicdomain/zero/1.0/>.
*/
#ifndef _PARAMETERS_H_
#define _PARAMETERS_H_
#define MULTI_USER 0
#define SMALL_PERM 1
#if MULTI_USER
#define KEYBYTES 32
#else
#define KEYBYTES 16
#endif
#include "api.h"
#if (KEYBYTES != CRYPTO_KEYBYTES)
#error "Wrong parameters in api.h"
#endif
#endif //_PARAMETERS_H_
spook/Implementations/crypto_aead/spook128su384v2/ref/primitives.h 0 → 100644
/* Spook Reference Implementation v1
*
* Written in 2019 at UCLouvain (Belgium) by Olivier Bronchain, Gaetan Cassiers
* and Charles Momin.
* To the extent possible under law, the author(s) have dedicated all copyright
* and related and neighboring rights to this software to the public domain
* worldwide. This software is distributed without any warranty.
*
* You should have received a copy of the CC0 Public Domain Dedication along
* with this software. If not, see
* <http://creativecommons.org/publicdomain/zero/1.0/>.
*/
#ifndef _H_PRIMITIVES_H_
#define _H_PRIMITIVES_H_
#include "parameters.h"
#define CLYDE128_NBYTES 16
#if SMALL_PERM
#define SHADOW_NBYTES 48
#else
#define SHADOW_NBYTES 64
#endif // SMALL_PERM
void
clyde128_encrypt(unsigned char* c,
const unsigned char* m,
const unsigned char* t,
const unsigned char* k);
void
clyde128_decrypt(unsigned char* m,
const unsigned char* c,
const unsigned char* t,
const unsigned char* k);
void
shadow(unsigned char* x);
#endif //_H_PRIMITIVES_H_
spook/Implementations/crypto_aead/spook128su384v2/ref/s1p.c 0 → 100644
/* Spook Reference Implementation v1
*
* Written in 2019 at UCLouvain (Belgium) by Olivier Bronchain, Gaetan Cassiers
* and Charles Momin.
* To the extent possible under law, the author(s) have dedicated all copyright
* and related and neighboring rights to this software to the public domain
* worldwide. This software is distributed without any warranty.
*
* You should have received a copy of the CC0 Public Domain Dedication along with
* this software. If not, see <http://creativecommons.org/publicdomain/zero/1.0/>.
*/
#include <stdlib.h>
#include <string.h>
#include <stdint.h>
#include "s1p.h"
#include "parameters.h"
#include "primitives.h"
#include "utils.h"
#define CAPACITY_BYTES 32
#define RATE_BYTES (SHADOW_NBYTES - CAPACITY_BYTES)
// Working mode for block compression.
typedef enum {
AD,
PLAINTEXT,
CIPHERTEXT
} compress_mode;
static void compress_block(unsigned char *state, unsigned char *out,
const unsigned char *d, compress_mode mode,
unsigned long long offset, unsigned long long n);
static unsigned long long compress_data(unsigned char *state,
unsigned char *out,
const unsigned char *d,
unsigned long long dlen,
compress_mode mode);
static void init_sponge_state(unsigned char state[SHADOW_NBYTES],
const unsigned char *k, const unsigned char *p,
const unsigned char *n);
void init_keys(const unsigned char **k, unsigned char p[P_NBYTES],
const unsigned char *k_glob) {
*k = k_glob;
#if MULTI_USER
memcpy(p, k_glob + CLYDE128_NBYTES, P_NBYTES);
p[P_NBYTES - 1] &= 0x7F; // set last p bit to 0
p[P_NBYTES - 1] |= 0x40; // set next to last p bit to 0
#else
memset(p, 0, P_NBYTES);
#endif // MULTI_USER
}
static void init_sponge_state(unsigned char state[SHADOW_NBYTES],
const unsigned char *k, const unsigned char *p,
const unsigned char *n) {
// init state
memset(state, 0, SHADOW_NBYTES);
memcpy(state + CLYDE128_NBYTES, p, P_NBYTES);
memcpy(state + CLYDE128_NBYTES + P_NBYTES, n, CRYPTO_NPUBBYTES);
// TBC
unsigned char padded_nonce[CLYDE128_NBYTES] = { 0 };
memcpy(padded_nonce, n, CRYPTO_NPUBBYTES);
unsigned char *b = state;
clyde128_encrypt(b, padded_nonce, p, k);
// initial permutation
shadow(state);
}
void s1p_encrypt(unsigned char *c, unsigned long long *clen,
const unsigned char *ad, unsigned long long adlen,
const unsigned char *m, unsigned long long mlen,
const unsigned char *k, const unsigned char *p,
const unsigned char *n) {
// permutation state
unsigned char state[SHADOW_NBYTES];
init_sponge_state(state, k, p, n);
// compress associated data
compress_data(state, NULL, ad, adlen, AD);
// compress message
unsigned long long c_bytes = 0;
if (mlen > 0) {
state[RATE_BYTES] ^= 0x01;
c_bytes = compress_data(state, c, m, mlen, PLAINTEXT);
}
// tag
state[CLYDE128_NBYTES + CLYDE128_NBYTES - 1] |= 0x80;
clyde128_encrypt(c + c_bytes, state, state + CLYDE128_NBYTES, k);
*clen = c_bytes + CLYDE128_NBYTES;
}
int s1p_decrypt(unsigned char *m, unsigned long long *mlen,
const unsigned char *ad, unsigned long long adlen,
const unsigned char *c, unsigned long long clen,
const unsigned char *k, const unsigned char *p,
const unsigned char *n) {
// permutation state
unsigned char state[SHADOW_NBYTES];
init_sponge_state(state, k, p, n);
// compress associated data
compress_data(state, NULL, ad, adlen, AD);
// compress message
unsigned long long m_bytes = 0;
if (clen > CLYDE128_NBYTES) {
state[RATE_BYTES] ^= 0x01;
m_bytes = compress_data(state, m, c, clen - CLYDE128_NBYTES, CIPHERTEXT);
}
// NOTE: We use here so-called "inverse-based tag verification",
// that is, we apply the inverse Clyde TBC to the tag extracted from
// the ciphertext and check the result against the output of Shadow.
// This way of verifying the tag is interesting in some specific cases
// such as side-channel protected implementations.
// In general implementations, the tag verification SHOULD be done in a
// more conventional way: encrypting the output of Shadow with Clyde and
// verifying the tag against the resulting value.
// This is more efficient as it does not require to implement the inverse
// Clyde.
// For more details, see the Spook specification at https://spook.dev.
unsigned char inv_tag[CLYDE128_NBYTES];
unsigned char *u = state;
state[(2 * CLYDE128_NBYTES) - 1] |= 0x80;
clyde128_decrypt(inv_tag, c + m_bytes, state + CLYDE128_NBYTES, k);
int tag_ok = 1;
for (int i = 0; i < CLYDE128_NBYTES; i++) {
tag_ok &= (u[i] == inv_tag[i]);
}
if (tag_ok) {
*mlen = m_bytes;
return 0;
} else {
// Reset output buffer to avoid unintended unauthenticated plaintext
// release.
memset(m, 0, clen - CLYDE128_NBYTES);
*mlen = 0;
return -1;
}
}
// Compress a block into the state. Length of the block is n and buffers are
// accessed starting at offset. Input block is d, output is written into
// buffer out if mode is PLAINTEXT or CIPHERTEXT.
// Only the XOR operation is performed, not XORing of padding constants.
static void compress_block(unsigned char *state, unsigned char *out,
const unsigned char *d, compress_mode mode,
unsigned long long offset, unsigned long long n) {
if (mode == CIPHERTEXT) {
xor_bytes(out + offset, state, d + offset, n);
memcpy(state, d + offset, n);
} else {
xor_bytes(state, state, d + offset, n);
if (mode == PLAINTEXT) {
memcpy(out + offset, state, n);
}
}
}
// Compress a block into the state (in duplex-sponge mode).
// Input data buffer is d with length dlen.
// Output is written into buffer out if mode is PLAINTEXT or CIPHERTEXT.
// Padding is handled if needed.
static unsigned long long compress_data(unsigned char *state,
unsigned char *out,
const unsigned char *d,
unsigned long long dlen,
compress_mode mode) {
unsigned long long i;
for (i = 0; i < dlen / RATE_BYTES; i++) {
compress_block(state, out, d, mode, i * RATE_BYTES, RATE_BYTES);
shadow(state);
}
int rem = dlen % RATE_BYTES;
if (rem != 0) {
compress_block(state, out, d, mode, i * RATE_BYTES, rem);
state[rem] ^= 0x01;
state[RATE_BYTES] ^= 0x02;
shadow(state);
}
return i * RATE_BYTES + rem;
}
spook/Implementations/crypto_aead/spook128su384v2/ref/s1p.h 0 → 100644
/* Spook Reference Implementation v1
*
* Written in 2019 at UCLouvain (Belgium) by Olivier Bronchain, Gaetan Cassiers
* and Charles Momin.
* To the extent possible under law, the author(s) have dedicated all copyright
* and related and neighboring rights to this software to the public domain
* worldwide. This software is distributed without any warranty.
*
* You should have received a copy of the CC0 Public Domain Dedication along with
* this software. If not, see <http://creativecommons.org/publicdomain/zero/1.0/>.
*/
#ifndef _H_S1P_H_
#define _H_S1P_H_
#include "parameters.h"
// Size of the P parameter
#define P_NBYTES 16
void s1p_encrypt(unsigned char *c, unsigned long long *clen,
const unsigned char *ad, unsigned long long adlen,
const unsigned char *m, unsigned long long mlen,
const unsigned char *k, const unsigned char *p,
const unsigned char *n);
int s1p_decrypt(unsigned char *m, unsigned long long *mlen,
const unsigned char *ad, unsigned long long adlen,
const unsigned char *c, unsigned long long clen,
const unsigned char *k, const unsigned char *p,
const unsigned char *n);
void init_keys(const unsigned char **k, unsigned char p[P_NBYTES],
const unsigned char *k_glob);
#endif //_H_S1P_H_
spook/Implementations/crypto_aead/spook128su384v2/ref/utils.c 0 → 100644
/* Spook Reference Implementation v1
*
* Written in 2019 at UCLouvain (Belgium) by Olivier Bronchain, Gaetan Cassiers
* and Charles Momin.
* To the extent possible under law, the author(s) have dedicated all copyright
* and related and neighboring rights to this software to the public domain
* worldwide. This software is distributed without any warranty.
*
* You should have received a copy of the CC0 Public Domain Dedication along
* with this software. If not, see
* <http://creativecommons.org/publicdomain/zero/1.0/>.
*/
#include <stdint.h>
#include "utils.h"
// XOR buffers src1 and src2 into buffer dest (all buffers contain n bytes).
void
xor_bytes(unsigned char* dest,
const unsigned char* src1,
const unsigned char* src2,
unsigned long long n)
{
for (unsigned long long i = 0; i < n; i++) {
dest[i] = src1[i] ^ src2[i];
}
}
// Rotate right x by amount c.
// We use right rotation of integers for the lboxes while the specification
// tells left rotation of bitstrings due to the bitsting -> integer
// little-endian mapping used in Spook.
uint32_t
rotr(uint32_t x, unsigned int c)
{
return (x >> c) | (x << (32 - c));
}
// Convert 4 bytes into a uint32. Bytes are in little-endian.
uint32_t
le32u_dec(const unsigned char bytes[4])
{
uint32_t res = 0;
for (unsigned int col = 0; col < 4; col++) {
res |= ((uint32_t)bytes[col]) << 8 * col;
}
return res;
}
// Convert a uint32 into 4 bytes. Bytes are in little-endian.
void
le32u_enc(unsigned char bytes[4], uint32_t x)
{
for (unsigned int i = 0; i < 4; i++) {
bytes[i] = x >> 8 * i;
}
}
spook/Implementations/crypto_aead/spook128su384v2/ref/utils.h 0 → 100644
/* Spook Reference Implementation v1
*
* Written in 2019 at UCLouvain (Belgium) by Olivier Bronchain, Gaetan Cassiers
* and Charles Momin.
* To the extent possible under law, the author(s) have dedicated all copyright
* and related and neighboring rights to this software to the public domain
* worldwide. This software is distributed without any warranty.
*
* You should have received a copy of the CC0 Public Domain Dedication along
* with this software. If not, see
* <http://creativecommons.org/publicdomain/zero/1.0/>.
*/
#ifndef _H_UTILS_H_
#define _H_UTILS_H_
#include <stdint.h>
void
xor_bytes(unsigned char* dest,
const unsigned char* src1,
const unsigned char* src2,
unsigned long long n);
uint32_t
rotr(uint32_t x, unsigned int c);
uint32_t
le32u_dec(const unsigned char bytes[4]);
void
le32u_enc(unsigned char bytes[4], uint32_t x);
#endif // _H_UTILS_H_
spook/Implementations/crypto_aead/spook128su512v2/LWC_AEAD_KAT_128_128.txt 0 → 100644
This source diff could not be displayed because it is too large. You can view the blob instead.
spook/Implementations/crypto_aead/spook128su512v2/opt_c/COPYING 0 → 100644
Creative Commons Legal Code
CC0 1.0 Universal
CREATIVE COMMONS CORPORATION IS NOT A LAW FIRM AND DOES NOT PROVIDE
LEGAL SERVICES. DISTRIBUTION OF THIS DOCUMENT DOES NOT CREATE AN
ATTORNEY-CLIENT RELATIONSHIP. CREATIVE COMMONS PROVIDES THIS
INFORMATION ON AN "AS-IS" BASIS. CREATIVE COMMONS MAKES NO WARRANTIES
REGARDING THE USE OF THIS DOCUMENT OR THE INFORMATION OR WORKS
PROVIDED HEREUNDER, AND DISCLAIMS LIABILITY FOR DAMAGES RESULTING FROM
THE USE OF THIS DOCUMENT OR THE INFORMATION OR WORKS PROVIDED
HEREUNDER.
Statement of Purpose
The laws of most jurisdictions throughout the world automatically confer
exclusive Copyright and Related Rights (defined below) upon the creator
and subsequent owner(s) (each and all, an "owner") of an original work of
authorship and/or a database (each, a "Work").
Certain owners wish to permanently relinquish those rights to a Work for
the purpose of contributing to a commons of creative, cultural and
scientific works ("Commons") that the public can reliably and without fear
of later claims of infringement build upon, modify, incorporate in other
works, reuse and redistribute as freely as possible in any form whatsoever
and for any purposes, including without limitation commercial purposes.
These owners may contribute to the Commons to promote the ideal of a free
culture and the further production of creative, cultural and scientific
works, or to gain reputation or greater distribution for their Work in
part through the use and efforts of others.
For these and/or other purposes and motivations, and without any
expectation of additional consideration or compensation, the person
associating CC0 with a Work (the "Affirmer"), to the extent that he or she
is an owner of Copyright and Related Rights in the Work, voluntarily
elects to apply CC0 to the Work and publicly distribute the Work under its
terms, with knowledge of his or her Copyright and Related Rights in the
Work and the meaning and intended legal effect of CC0 on those rights.
1. Copyright and Related Rights. A Work made available under CC0 may be
protected by copyright and related or neighboring rights ("Copyright and
Related Rights"). Copyright and Related Rights include, but are not
limited to, the following:
i. the right to reproduce, adapt, distribute, perform, display,
communicate, and translate a Work;
ii. moral rights retained by the original author(s) and/or performer(s);
iii. publicity and privacy rights pertaining to a person's image or
likeness depicted in a Work;
iv. rights protecting against unfair competition in regards to a Work,
subject to the limitations in paragraph 4(a), below;
v. rights protecting the extraction, dissemination, use and reuse of data
in a Work;
vi. database rights (such as those arising under Directive 96/9/EC of the
European Parliament and of the Council of 11 March 1996 on the legal
protection of databases, and under any national implementation
thereof, including any amended or successor version of such
directive); and
vii. other similar, equivalent or corresponding rights throughout the
world based on applicable law or treaty, and any national
implementations thereof.
2. Waiver. To the greatest extent permitted by, but not in contravention
of, applicable law, Affirmer hereby overtly, fully, permanently,
irrevocably and unconditionally waives, abandons, and surrenders all of
Affirmer's Copyright and Related Rights and associated claims and causes
of action, whether now known or unknown (including existing as well as
future claims and causes of action), in the Work (i) in all territories
worldwide, (ii) for the maximum duration provided by applicable law or
treaty (including future time extensions), (iii) in any current or future
medium and for any number of copies, and (iv) for any purpose whatsoever,
including without limitation commercial, advertising or promotional
purposes (the "Waiver"). Affirmer makes the Waiver for the benefit of each
member of the public at large and to the detriment of Affirmer's heirs and
successors, fully intending that such Waiver shall not be subject to
revocation, rescission, cancellation, termination, or any other legal or
equitable action to disrupt the quiet enjoyment of the Work by the public
as contemplated by Affirmer's express Statement of Purpose.
3. Public License Fallback. Should any part of the Waiver for any reason
be judged legally invalid or ineffective under applicable law, then the
Waiver shall be preserved to the maximum extent permitted taking into
account Affirmer's express Statement of Purpose. In addition, to the
extent the Waiver is so judged Affirmer hereby grants to each affected
person a royalty-free, non transferable, non sublicensable, non exclusive,
irrevocable and unconditional license to exercise Affirmer's Copyright and
Related Rights in the Work (i) in all territories worldwide, (ii) for the
maximum duration provided by applicable law or treaty (including future
time extensions), (iii) in any current or future medium and for any number
of copies, and (iv) for any purpose whatsoever, including without
limitation commercial, advertising or promotional purposes (the
"License"). The License shall be deemed effective as of the date CC0 was
applied by Affirmer to the Work. Should any part of the License for any
reason be judged legally invalid or ineffective under applicable law, such
partial invalidity or ineffectiveness shall not invalidate the remainder
of the License, and in such case Affirmer hereby affirms that he or she
will not (i) exercise any of his or her remaining Copyright and Related
Rights in the Work or (ii) assert any associated claims and causes of
action with respect to the Work, in either case contrary to Affirmer's
express Statement of Purpose.
4. Limitations and Disclaimers.
a. No trademark or patent rights held by Affirmer are waived, abandoned,
surrendered, licensed or otherwise affected by this document.
b. Affirmer offers the Work as-is and makes no representations or
warranties of any kind concerning the Work, express, implied,
statutory or otherwise, including without limitation warranties of
title, merchantability, fitness for a particular purpose, non
infringement, or the absence of latent or other defects, accuracy, or
the present or absence of errors, whether or not discoverable, all to
the greatest extent permissible under applicable law.
c. Affirmer disclaims responsibility for clearing rights of other persons
that may apply to the Work or any use thereof, including without
limitation any person's Copyright and Related Rights in the Work.
Further, Affirmer disclaims responsibility for obtaining any necessary
consents, permissions or other rights required for any use of the
Work.
d. Affirmer understands and acknowledges that Creative Commons is not a
party to this document and has no duty or obligation with respect to
this CC0 or use of the Work.
spook/Implementations/crypto_aead/spook128su512v2/opt_c/api.h 0 → 100644
#include "parameters.h"
#define CRYPTO_KEYBYTES KEYBYTES
#define CRYPTO_NPUBBYTES 16
#define CRYPTO_NSECBYTES 0
#define CRYPTO_ABYTES 16
#define CRYPTO_NOOVERLAP 1
spook/Implementations/crypto_aead/spook128su512v2/opt_c/clyde_32bit.c 0 → 100644
/* MIT License
*
* Copyright (c) 2019 Gaëtan Cassiers Olivier Bronchain
*
* Permission is hereby granted, free of charge, to any person obtaining a copy
* of this software and associated documentation files (the "Software"), to deal
* in the Software without restriction, including without limitation the rights
* to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
* copies of the Software, and to permit persons to whom the Software is
* furnished to do so, subject to the following conditions:
*
* The above copyright notice and this permission notice shall be included in all
* copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
* IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
* AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
* LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
* OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
* SOFTWARE.
*/
#include <string.h>
#include <stdint.h>
#include "primitives.h"
#include "primitives.c"
#define CLYDE_128_NS 6 // Number of steps
#define CLYDE_128_NR 2 * CLYDE_128_NS // Number of rounds
#define XORLS(DEST, OP) do { \
(DEST)[0] ^= (OP)[0]; \
(DEST)[1] ^= (OP)[1]; \
(DEST)[2] ^= (OP)[2]; \
(DEST)[3] ^= (OP)[3]; } while (0)
#define XORCST(DEST, LFSR) do { \
(DEST)[0] ^= ((LFSR)>>3 & 0x1); \
(DEST)[1] ^= ((LFSR)>>2 & 0x1); \
(DEST)[2] ^= ((LFSR)>>1 & 0x1); \
(DEST)[3] ^= ((LFSR) & 0x1); } while (0)
void clyde128_encrypt(clyde128_state state, const clyde128_state t, const unsigned char* k) {
// Key schedule
clyde128_state k_st;
memcpy(k_st, k, CLYDE128_NBYTES);
clyde128_state tk[3] = {
{ t[0], t[1], t[2], t[3] },
{ t[0] ^ t[2], t[1] ^ t[3], t[0], t[1] },
{ t[2], t[3], t[0] ^ t[2], t[1] ^ t[3] }
};
XORLS(tk[0], k_st);
XORLS(tk[1], k_st);
XORLS(tk[2], k_st);
// Datapath
XORLS(state, tk[0]);
uint32_t off = 0x924; // 2-bits describing the round key
uint32_t lfsr = 0x8; // LFSR for round constant
for (uint32_t s = 0; s < CLYDE_128_NS; s++) {
sbox_layer(state);
lbox(&state[0], &state[1]);
lbox(&state[2], &state[3]);
XORCST(state,lfsr);
uint32_t b = lfsr & 0x1;
lfsr = (lfsr^(b<<3) | b<<4)>>1; // update LFSR
sbox_layer(state);
lbox(&state[0], &state[1]);
lbox(&state[2], &state[3]);
XORCST(state,lfsr);
b = lfsr & 0x1;
lfsr = (lfsr^(b<<3) | b<<4)>>1; // update LFSR
off >>=2;
XORLS(state, tk[off&0x03]);
}
}
spook/Implementations/crypto_aead/spook128su512v2/opt_c/crypto_aead.h 0 → 100644
int crypto_aead_encrypt(unsigned char* c, unsigned long long* clen,
const unsigned char* m, unsigned long long mlen,
const unsigned char* ad, unsigned long long adlen,
const unsigned char* nsec, const unsigned char* npub,
const unsigned char* k);
int crypto_aead_decrypt(unsigned char* m, unsigned long long* mlen,
unsigned char* nsec, const unsigned char* c,
unsigned long long clen, const unsigned char* ad,
unsigned long long adlen, const unsigned char* npub,
const unsigned char* k);
spook/Implementations/crypto_aead/spook128su512v2/opt_c/encrypt.c 0 → 100644
/* Spook Reference Implementation v1
*
* Written in 2019 at UCLouvain (Belgium) by Olivier Bronchain, Gaetan Cassiers
* and Charles Momin.
* To the extent possible under law, the author(s) have dedicated all copyright
* and related and neighboring rights to this software to the public domain
* worldwide. This software is distributed without any warranty.
*
* You should have received a copy of the CC0 Public Domain Dedication along with
* this software. If not, see <http://creativecommons.org/publicdomain/zero/1.0/>.
*/
#include "crypto_aead.h"
#include "s1p.h"
#ifdef __GNUC__
#define UNUSED __attribute__((unused))
#else
#define UNUSED
#endif
// Spook encryption.
int crypto_aead_encrypt(unsigned char* c, unsigned long long* clen,
const unsigned char* m, unsigned long long mlen,
const unsigned char* ad, unsigned long long adlen,
const unsigned char* nsec UNUSED,
const unsigned char* npub, const unsigned char* k) {
unsigned char p[P_NBYTES];
const unsigned char* k_priv;
init_keys(&k_priv, p, k);
s1p_encrypt(c, clen, ad, adlen, m, mlen, k_priv, p, npub);
return 0;
}
// Spook encryption.
int crypto_aead_decrypt(unsigned char* m, unsigned long long* mlen,
unsigned char* nsec UNUSED, const unsigned char* c,
unsigned long long clen, const unsigned char* ad,
unsigned long long adlen, const unsigned char* npub,
const unsigned char* k) {
unsigned char p[P_NBYTES];
const unsigned char* k_priv;
init_keys(&k_priv, p, k);
return s1p_decrypt(m, mlen, ad, adlen, c, clen, k_priv, p, npub);
}
spook/Implementations/crypto_aead/spook128su512v2/opt_c/iacaMarks.h 0 → 100644
/*
* Copyright (2008-2009) Intel Corporation All Rights Reserved.
* The source code contained or described herein and all documents
* related to the source code ("Material") are owned by Intel Corporation
* or its suppliers or licensors. Title to the Material remains with
* Intel Corporation or its suppliers and licensors. The Material
* contains trade secrets and proprietary and confidential information
* of Intel or its suppliers and licensors. The Material is protected
* by worldwide copyright and trade secret laws and treaty provisions.
* No part of the Material may be used, copied, reproduced, modified,
* published, uploaded, posted, transmitted, distributed, or disclosed
* in any way without Intel(R)s prior express written permission.
*
* No license under any patent, copyright, trade secret or other
* intellectual property right is granted to or conferred upon you by
* disclosure or delivery of the Materials, either expressly, by implication,
* inducement, estoppel or otherwise. Any license under such intellectual
* property rights must be express and approved by Intel in writing.
*/
#if defined (__GNUC__)
#define IACA_SSC_MARK( MARK_ID ) \
__asm__ __volatile__ ( \
"\n\t movl $"#MARK_ID", %%ebx" \
"\n\t .byte 0x64, 0x67, 0x90" \
: : : "memory" );
#else
#define IACA_SSC_MARK(x) {__asm mov ebx, x\
__asm _emit 0x64 \
__asm _emit 0x67 \
__asm _emit 0x90 }
#endif
#define IACA_START {IACA_SSC_MARK(111)}
#define IACA_END {IACA_SSC_MARK(222)}
#ifdef _WIN64
#include <intrin.h>
#define IACA_VC64_START __writegsbyte(111, 111);
#define IACA_VC64_END __writegsbyte(222, 222);
#endif
/**************** asm *****************
;START_MARKER
mov ebx, 111
db 0x64, 0x67, 0x90
;END_MARKER
mov ebx, 222
db 0x64, 0x67, 0x90
**************************************/
spook/Implementations/crypto_aead/spook128su512v2/opt_c/parameters.h 0 → 100644
/* Spook Reference Implementation v1
*
* Written in 2019 at UCLouvain (Belgium) by Olivier Bronchain, Gaetan Cassiers
* and Charles Momin.
* To the extent possible under law, the author(s) have dedicated all copyright
* and related and neighboring rights to this software to the public domain
* worldwide. This software is distributed without any warranty.
*
* You should have received a copy of the CC0 Public Domain Dedication along with
* this software. If not, see <http://creativecommons.org/publicdomain/zero/1.0/>.
*/
#ifndef _PARAMETERS_H_
#define _PARAMETERS_H_
#define MULTI_USER 0
#define SMALL_PERM 0
#if MULTI_USER
#define KEYBYTES 32
#else
#define KEYBYTES 16
#endif
#include "api.h"
#if (KEYBYTES != CRYPTO_KEYBYTES)
#error "Wrong parameters in api.h"
#endif
#endif //_PARAMETERS_H_
spook/Implementations/crypto_aead/spook128su512v2/opt_c/primitives.c 0 → 100644
#include "primitives.h"
#ifdef SHADOW
static uint32_t lfsr_poly;
static uint32_t xtime_poly;
#endif
// Apply a S-box layer to a Clyde-128 state.
static void sbox_layer(uint32_t* state) {
uint32_t y1 = (state[0] & state[1]) ^ state[2];
uint32_t y0 = (state[3] & state[0]) ^ state[1];
uint32_t y3 = (y1 & state[3]) ^ state[0];
uint32_t y2 = (y0 & y1) ^ state[3];
state[0] = y0;
state[1] = y1;
state[2] = y2;
state[3] = y3;
}
// Apply a L-box to a pair of Clyde-128 rows.
static void lbox(uint32_t* x, uint32_t* y) {
uint32_t a, b, c, d;
a = *x ^ ROT32(*x, 12);
b = *y ^ ROT32(*y, 12);
a = a ^ ROT32(a, 3);
b = b ^ ROT32(b, 3);
a = a ^ ROT32(*x, 17);
b = b ^ ROT32(*y, 17);
c = a ^ ROT32(a, 31);
d = b ^ ROT32(b, 31);
a = a ^ ROT32(d, 26);
b = b ^ ROT32(c, 25);
a = a ^ ROT32(c, 15);
b = b ^ ROT32(d, 15);
*x = a;
*y = b;
}
#ifdef SHADOW
void set_poly_lfsr(uint32_t l){
lfsr_poly = l;
}
void set_poly_xtime(uint32_t l){
xtime_poly = l;
}
static uint32_t update_lfsr(uint32_t x) {
int32_t tmp1 = x;
uint32_t tmp = (tmp1 >>31) & lfsr_poly;
return (x<<1) ^ tmp;
}
static uint32_t xtime(uint32_t x) {
int32_t tmp1 = x;
uint32_t tmp = (tmp1 >>31) & xtime_poly;
return (x<<1) ^ tmp;
}
// Apply a D-box layer to a Shadow state.
static void dbox_mls_layer(shadow_state state,uint32_t *lfsr) {
for (unsigned int row = 0; row < LS_ROWS; row++) {
#if SMALL_PERM
uint32_t x1 = state[0][row];
uint32_t x2 = state[1][row];
uint32_t x3 = state[2][row];
uint32_t a = x1 ^ x3;
uint32_t b = a ^ x2;
uint32_t c = xtime(a) ^ (x1 ^ x2);
state[0][row] = a ^ c;
state[1][row] = b;
state[2][row] = c;
state[0][row] ^= *lfsr;
*lfsr = update_lfsr(*lfsr);
#else
state[0][row] ^= state[1][row];
state[2][row] ^= state[3][row];
state[1][row] ^= state[2][row];
state[3][row] ^= xtime(state[0][row]);
state[2][row] ^= xtime(state[3][row]);
state[1][row] = xtime(state[1][row]);
state[0][row] ^= state[1][row];
state[3][row] ^= state[0][row];
state[1][row] ^= state[2][row];
state[0][row] ^= *lfsr;
*lfsr = update_lfsr(*lfsr);
#endif // SMALL_PERM
}
}
#endif
spook/Implementations/crypto_aead/spook128su512v2/opt_c/primitives.h 0 → 100644
/* Spook Reference Implementation v1
*
* Written in 2019 at UCLouvain (Belgium) by Olivier Bronchain, Gaetan Cassiers
* and Charles Momin.
* To the extent possible under law, the author(s) have dedicated all copyright
* and related and neighboring rights to this software to the public domain
* worldwide. This software is distributed without any warranty.
*
* You should have received a copy of the CC0 Public Domain Dedication along with
* this software. If not, see <http://creativecommons.org/publicdomain/zero/1.0/>.
*/
#ifndef _H_PRIMITIVES_H_
#define _H_PRIMITIVES_H_
#include <stdint.h>
#include "parameters.h"
#define CLYDE128_NBYTES 16
#define ROTL(x, n) ((x << n) | (x >> ((32-n) & 31)))
#ifndef SHCST
#define SHCST 1
#endif
#ifndef DBOX
#define DBOX 1
#endif
#if SMALL_PERM
#define SHADOW_NBYTES 48
#else
#define SHADOW_NBYTES 64
#endif // SMALL_PERM
#define LS_ROWS 4 // Rows in the LS design
#define LS_ROW_BYTES 4 // number of bytes per row in the LS design
#define MLS_BUNDLES \
(SHADOW_NBYTES / (LS_ROWS* LS_ROW_BYTES)) // Bundles in the mLS design
#define ROT32(x,n) ((uint32_t)(((x)>>(n))|((x)<<(32-(n)))))
typedef __attribute__((aligned(16))) uint32_t clyde128_state[LS_ROWS];
typedef __attribute__((aligned(64))) clyde128_state shadow_state[MLS_BUNDLES];
void clyde128_encrypt(clyde128_state state,
const clyde128_state t, const unsigned char* k);
void shadow(shadow_state state);
static void sbox_layer(uint32_t* state);
static void dbox_mls_layer(shadow_state state,uint32_t *lfsr);
static void lbox(uint32_t* x, uint32_t* y);
#endif //_H_PRIMITIVES_H_
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or sign in to comment